Create an ed25519 shared randomness key for dirauths
In proposal250, dirauths sign their commitments. We assume an ed25519 key is going to be used for signatures, both for signature length and for security. Unfortunately, there is currently no ed25519 key that authorities use.
I talked to Nick about this and he suggested that a new key will need to be created especially for this reason. IIUC this new SR key will need to be chain-certified down to the RSA signing key, since we still use RSA keys as the long-term identity of dirauths.
A few questions here:
a) What's the key hierarchy we are aiming for here?
RSA signing key -> ed25519 identity key -> ed25519 signing key -> ed25519 SR key
RSA signing key -> ed25519 signing key -> ed25519 SR key
RSA signing key -> ed25519 SR key
We discussed this in IRC the other day, but my box crashed and I lost backlog :( Could you please remind me what's the best option here?
b) Where should these new long-term ed25519 keys be listed? Should they be part of the
dir-key-certificate-version block in the votes?
c) How should they be generated? It should be part of
tor-gencert right? Sebastian pointed out that dirauths firing up
tor-gencert in their offline machines is not an easy task and costs them lots of money and time. So we should make sure that this procedure works for them well.
What is the procedure for generating new keys with
tor-gencert? I would like to understand this, since Sebastian suggested we should prepare the
tor-gencert patch well in advance, and send an email to dirauth operators so that they have time to run it and be all set by the time the shared randomness patch hits Tor.
If we do so, then in the shared randomness code we can assume that the keys are already generated. If they are not, we should complain to the dirauth operator and ask them to run the
tor-gencert command. However, it should also be possible for a dirauth operator that doesn't have the right ed25519 keys to work as a dirauth but not participate in the SR protocol.
d) This seems like lots of work! Is there a less demanding way out? For example, would it be super stupid to just sign the ed25519 SR key with the long-term RSA signing key?