[tor-talk] Revoking your secret_id_key
Nick Mathewson
nickm at alum.mit.edu
Mon Oct 3 23:44:19 UTC 2011
On Wed, Sep 28, 2011 at 6:09 AM, Anthony G. Basile
<basile at opensource.dyc.edu> wrote:
> Hi everyone,
>
> Is there a way of revoking your tor relay's secret_id_key? For
> instance, suppose your server is compromised and you want to tell the
> world, don't trust this node anymore as a relay and/or exit, how would
> you do that? The question occurred to me as I working with gpg.
The authorities can block nodes from appearing in the directory if you
convince them to do so. One way to do that with cryptography is:
* Make sure that your Contact line includes a GPG key fingerprint
for a key that you control.
* If you need your node taken out of the directories, send out an
announcement saying so, signed with that GPG key.
Though in practice, people have gotten their nodes de-listed by just
sending out an unsigned announcement to the effect and convincing
everybody that they were really them. There is probably an attack
opportunity there.
It might be worthwhile to add a feature where each Tor server
generates a signed "permanent shutdown notice" at the same time it
generates its key, and to suggest to node operators that they keep a
copy of that notice someplace secure so that they can circulate it as
needed if they need to prove that they are saying this node has been
compromised. It'd probably need a design proposal. I'm not sure how
much of a win it is over the GPG solution above: it saves some steps,
but still requires you to make preparations in advance.
yrs,
--
Nick
More information about the tor-talk
mailing list