Re: [tor-bugs] #11119 [Tor]: Write a proposal for client-side key pinning
#9: Write a proposal for client-side key pinning -+- Reporter: nickm| Owner: Type: defect | Status: needs_information Priority: normal | Milestone: Tor: 0.2.??? Component: Tor |Version: Resolution: | Keywords: tor-client needs-proposal Actual Points: | 026-triaged-1 Points: | Parent ID: -+- Changes (by nickm): * milestone: Tor: 0.2.6.x-final = Tor: 0.2.??? -- Ticket URL: https://trac.torproject.org/projects/tor/ticket/9#comment:4 Tor Bug Tracker Wiki https://trac.torproject.org/ The Tor Project: anonymity online ___ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
Re: [tor-bugs] #11119 [Tor]: Write a proposal for client-side key pinning
#9: Write a proposal for client-side key pinning -+- Reporter: nickm| Owner: Type: defect | Status: needs_information Priority: normal | Milestone: Tor: 0.2.6.x-final Component: Tor |Version: Resolution: | Keywords: tor-client needs-proposal Actual Points: | 026-triaged-1 Points: | Parent ID: -+- Changes (by nickm): * status: new = needs_information Comment: I started writing up a proposal draft here, but I'm not currently seeing the point of it. If a client has a correct consensus, it should get the correct RSA1024-Ed25519 mappings unless the authorities are lying. But if the authorities are lying, they can poison the clients in lots of other ways too. Similarly, for stuff like bridges, we can export the ed25519 key in the bridge line, and we don't need to remember the RSA1024 key at all. That's probably a better idea than pinning in the first place, right? For guards, we should remember every public key we've seen for the guard, and only connect if all the keys are good. So, what's the value here? What's the threat model it helps for? -- Ticket URL: https://trac.torproject.org/projects/tor/ticket/9#comment:2 Tor Bug Tracker Wiki https://trac.torproject.org/ The Tor Project: anonymity online ___ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
Re: [tor-bugs] #11119 [Tor]: Write a proposal for client-side key pinning
#9: Write a proposal for client-side key pinning -+- Reporter: nickm| Owner: Type: defect | Status: needs_information Priority: normal | Milestone: Tor: 0.2.6.x-final Component: Tor |Version: Resolution: | Keywords: tor-client needs-proposal Actual Points: | 026-triaged-1 Points: | Parent ID: -+- Changes (by nickm): * cc: arma (added) -- Ticket URL: https://trac.torproject.org/projects/tor/ticket/9#comment:3 Tor Bug Tracker Wiki https://trac.torproject.org/ The Tor Project: anonymity online ___ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
Re: [tor-bugs] #11119 [Tor]: Write a proposal for client-side key pinning
#9: Write a proposal for client-side key pinning -+- Reporter: nickm| Owner: Type: defect | Status: new Priority: normal | Milestone: Tor: 0.2.6.x-final Component: Tor |Version: Resolution: | Keywords: tor-client needs-proposal Actual Points: | 026-triaged-1 Points: | Parent ID: -+- Changes (by nickm): * keywords: tor-client needs-proposal = tor-client needs-proposal 026-triaged-1 -- Ticket URL: https://trac.torproject.org/projects/tor/ticket/9#comment:1 Tor Bug Tracker Wiki https://trac.torproject.org/ The Tor Project: anonymity online ___ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
[tor-bugs] #11119 [Tor]: Write a proposal for client-side key pinning
#9: Write a proposal for client-side key pinning ---+--- Reporter: nickm | Owner: Type: defect | Status: new Priority: normal | Milestone: Tor: Component: Tor| 0.2.6.x-final Keywords: tor-client needs-proposal |Version: Parent ID: | Actual Points: | Points: ---+--- Proposal 220 suggests that we pin RSA and Ed25519 identity keys to one another authority-side. Roger suggested to me that we also consider doing client-side identity pinning. -- Ticket URL: https://trac.torproject.org/projects/tor/ticket/9 Tor Bug Tracker Wiki https://trac.torproject.org/ The Tor Project: anonymity online ___ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs