Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Tor Tor
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 832
    • Issues 832
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 31
    • Merge requests 31
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Core
  • TorTor
  • Issues
  • #11458

Closed (moved)
(moved)
Open
Created Apr 09, 2014 by Roger Dingledine@armaReporter

A newer signing cert should innoculate us against older ones?

Sometime in the past year or two somebody might have stolen 7 of the 9 active directory signing keys. They don't expire for several months or more.

If the existing directory authorities rotate to new signing keys, that doesn't really change the fact that older ones remain valid.

If we change Tor to look at its cached-certs and refuse to believe in a signing key if it's convinced there's a newer one, then we can invalidate older ones by generating newer ones.

That approach wouldn't protect users who are bootstrapping for the first time, but it would protect them if they'd already bootstrapped. Is this a worthwhile improvement?

Note that we'd have to sort out edge cases like legacy/trac#11457 (moved) -- basically in this case it would mean that if you ever generate a signing key too far in the future and then also want to go back to an earlier one, you're fucked. But has anybody ever needed to do that?

To tolerate rotation better, we'd want the logic to be something like the suggested fix in legacy/trac#11454 (moved): only disbelieve a cert if a) we have a newer one and b) the one we're disbelieving is sufficiently older than now.

We could also think about shipping with a cached-certs file to keep raising the bar as users upgrade.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking