Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #11457
Closed (moved) (moved)
Open
Issue created Apr 09, 2014 by Roger Dingledine@arma

Making a signing cert in the future will make everybody discard your real signing cert and then want it again

Run an authority, with a normal signing authority_certificate. Then move your date into the future (has to be more than one week in the future), and generate and use another signing cert. Relays, clients, and other directory authorities will smoothly upgrade to your new one, and (barring issues like #11454 (moved)) throw out your old signing cert.

Then throw out your shiny new one, and go back to the one you had been using. Other Tors (dir auths, relays, clients) will say "oh hey, a signature from a cert I don't recognize, let me fetch that". So far so good.

Then 60 seconds later they'll discard this cert, because they know a newer one. Oops.

But this is where is gets good. Your authority discards this older cert too. So do other authorities. And relays.

And then everybody wants a copy and nobody has one, so every 60 seconds everybody asks the next layer up in the dir hierarchy. Everybody's logs are filled with

Apr 09 03:44:55.000 [warn] Received http status code 404 ("Not found") from server '127.0.0.1:3002' while fetching "/tor/keys/fp-sk/AD23D263206B997C73AF9B488322E91766748C2C-4335577168B0C0C22AC4A1A0707DD72F41CC8DA6".

each minute.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking