Extend onion address to include authentication data
At the moment using authenticated onion services is really painful for a client. One need to find
torrc somewhere, add a line to it and restart tor. These requirements are making them effectively usable.
I got an idea to append authentication data directly to hostname. In order to avoid mixing with upcoming prop224 service ids there should be a separator. According to RFC 952 is is possible to use hyphen (
-) in a hostname as this separator. So we have the following scheme:
s2mdezeof64lrcft.onion - public onion
nf2kpynuymdd63wms6nkq5if4m-s2mdezeof64lrcft.onion - authenticated onion
As it is base32 there are only two bits left (instead of of 4 with base64) so we can encode two more auth types.
I've implemented this idea for the client code (you have to convert descriptor cookie from base64 yourself for now). Please have a look at the patch attached.
- Due to how client cache works for now, once intropoints are decrypted/not decrypted there will be cache entry that blocks auth data change. This requires client cache rewrite to decrypt intropoints at each request (make it stateless).
It would be nice to hear any thoughts and comments on this.