Different TLS certs for incoming vs outgoing
We should learn to present different TLS certs for incoming connections vs outgoing connections.
The motivating example is bridges. They want to show the same identity to people who connect, yet behave like clients when they connect to other relays (e.g. change keys when they change IP addresses).
(Of course, this change would provide a new way to test for bridges: if a Tor connects to you, connect back and see if the cert is different. But at least that's an active test that requires the bridge to connect to you first. But then, the attack I describe above only kicks in when the bridge connects to you. Hm.)
[Automatically added by flyspray2trac: Operating System: All]