putting the security of the scheme aside, one question that comes to
mind is how Alice (the OP) is going to get an authentic copy of Ricky's
DH public key, y. One way to do this is to include it in the router
descriptors. But then we have to ask if it's worth adding a new public
key for each OR to the Tor PKI to just save one exponentiation during
session key agreement.
-James
We already distribute different keys for the current protocol. But the
one I proposed is insecure so we might as well forget about it. Schnorr
signatures are secure and are intended for this purpose, but we can only
use them after 2008.
the way things are done now, each OR has two public keys in its router
descriptor. you are, I think, suggesting that another be added. I was
just wondering if you had considered the extra bandwidth load this puts
on the directory servers. If the extra load is substantial (maybe it
isn't, i don't know), then maybe we shouldn't give the ORs another
public key to manage just to save one 1024-bit exponentiation.
-James
