[tor-dev] adding smartcard support to Tor

Ivan Markin twim at riseup.net
Sun Oct 18 12:10:41 UTC 2015


Razvan Dragomirescu:
> Ivan, if I understand
> https://onionbalance.readthedocs.org/en/latest/design.html#next-generation-onion-services-prop-224-compatibility
> correctly, the setup I've planned will no longer work once Tor switches to
> the next generation hidden services architecture, is this correct? Will
> there be any backwards compatibility or will old hidden services simply
> stop working at that point?

No, actually the setup will work. But it will not work until the code
base (of the OB) is changed*. For now one can sign arbitrary set of IPs
with their key (you can test it with  e.g. Facebook HS) and this
descriptor will be valid [1].
Cross-certifications are just a mechanism of hardening this process. In
order to make frontend descriptor valid backend instances must "be
aware" of the frontend. So backend nodes are certifying public key of
frontend and then they can be included into a frontend descriptor.
[using OB terminology]

[*] Also there is still only RSA crypto in the OB.

[1] https://trac.torproject.org/projects/tor/ticket/15951
-- 
Ivan Markin
/"\
\ /       ASCII Ribbon Campaign
 X    against HTML email & Microsoft
/ \  attachments! http://arc.pasp.de/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151018/c8bc9491/attachment.sig>


More information about the tor-dev mailing list