Skip to content

A newer signing cert should innoculate us against older ones?

Sometime in the past year or two somebody might have stolen 7 of the 9 active directory signing keys. They don't expire for several months or more.

If the existing directory authorities rotate to new signing keys, that doesn't really change the fact that older ones remain valid.

If we change Tor to look at its cached-certs and refuse to believe in a signing key if it's convinced there's a newer one, then we can invalidate older ones by generating newer ones.

That approach wouldn't protect users who are bootstrapping for the first time, but it would protect them if they'd already bootstrapped. Is this a worthwhile improvement?

Note that we'd have to sort out edge cases like #11457 (moved) -- basically in this case it would mean that if you ever generate a signing key too far in the future and then also want to go back to an earlier one, you're fucked. But has anybody ever needed to do that?

To tolerate rotation better, we'd want the logic to be something like the suggested fix in #11454 (moved): only disbelieve a cert if a) we have a newer one and b) the one we're disbelieving is sufficiently older than now.

We could also think about shipping with a cached-certs file to keep raising the bar as users upgrade.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information