[tor-bugs] #27953 [Core Tor/Tor]: Authorization types for v3 onion service have to be clarified in documentation

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 9 13:30:45 UTC 2019

#27953: Authorization types for v3 onion service have to be clarified in
 Reporter:  geoip                      |          Owner:  (none)
     Type:  defect                     |         Status:  reopened
 Priority:  Medium                     |      Milestone:  Tor: unspecified
Component:  Core Tor/Tor               |        Version:
 Severity:  Normal                     |     Resolution:
 Keywords:  tor-spec, tor-hs, hs-auth  |  Actual Points:
Parent ID:                             |         Points:
 Reviewer:                             |        Sponsor:
Changes (by geoip):

 * status:  closed => reopened
 * resolution:  duplicate =>
 * parent:  #28026 =>


 Replying to [comment:4 teor]:
 > If not, please re-open this ticket and let us know what the remaining
 issues are.
 If is good that now we have CLIENT AUTHORIZTION section in man torrc, but
 all other issues I reported in  this ticket are still in place.

 >> [TODO: Also specify stealth client authorization.].
 > However, stealth auth is only used for v2 onion services. It should be
 It is still in spec. It is still not stated to what HS type (v3 or v3 or
 both) it is applicable. This "TODO" is still needed to be done, if stealth
 auth is applicable to v3.

 > According to teor's comment the following auth types were planned:
 'descriptor', 'intro', and 'standard'. However, only 'descriptor' type is
 documented by spec (man page for tor alpha refers to spec for details).
 Other auth types are not documented at all, though spec gives a strong
 impression that 'descriptor' is only one of possible authentication types.
 How it was addressed? Can you give clear and concise description of auth
 types? Do you still plan to add other auth types? Are they needed? How
 they are related each to other? It is not described anywhere.

 It is good that man page now clearly states that "descriptor" is the only
 supported type. But I'ld like to see in spec or somewhere else also about
 prospects concerning other auth types.

 man torrc says
 > Each file MUST contain one line only. Any malformed file will be
 which is incompatible with spec (G.1.2, G.1.3):
 > Tor SHOULD ignore lines it does not recognize.

 > The third party tool SHOULD add appropriate headers to the private key
 file to ensure that users won't accidentally give out their private key.
 As you see, headers should be supported, but ignored by tor. Instead, you
 write in man torrc that only one line must be in auth file.

 > [XXX figure out control port command format]
 Must be described.

 In spec in G.2.2 syntax of commands IMPORT_ONION_CLIENT_AUTH_DATA and
 GENERATE_ONION_CLIENT_AUTH_DATA are not described. In control-spec they
 are not described too. Are they implemented?

 > [XXX what happens when people use both the control port interface and
 the filesystem interface?]
 If even spec doesn't know how tor works, how users can know that?

 I had to remove reference to parent ticket because I cannot reopen this
 ticket with this reference.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27953#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list