Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 010fd50c36
Branches Tags
tor
/
doc
/
spec
/
proposals
/
122-unnamed-flag.txt

122-unnamed-flag.txt 3.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. Filename: xxx-unnamed-flag.txt
    2. 

  2. Title: Network status entries need a new Unnamed flag
    3. 

  3. Version: $Revision$
    4. 

  4. Last-Modified: $Date$
    5. 

  5. Author: Roger Dingledine
    6. 

  6. Created: 04-Oct-2007
    7. 

  7. Status: Open
    8. 

  8. 

  9. Overview:
    10. 

  10. 

  11.   Tor's directory authorities can give certain servers a "Named" flag
    12. 

  12.   in the network-status entry, when they want to bind that nickname to
    13. 

  13.   that identity key. This allows clients to specify a nickname rather
    14. 

  14.   than an identity fingerprint and still be certain they're getting the
    15. 

  15.   "right" server. As dir-spec.txt describes it,
    16. 

  16. 

  17.     Name X is bound to identity Y if at least one binding directory lists
    18. 

  18.     it, and no directory binds X to some other Y'.
    19. 

  19. 

  20.   In practice, clients can refer to servers by nickname whether they are
    21. 

  21.   Named or not; if they refer to nicknames that aren't Named, a complaint
    22. 

  22.   shows up in the log asking them to use the identity key in the future
    23. 

  23.   --- but it still works.
    24. 

  24. 

  25.   The problem? Imagine a Tor server with nickname Bob. Bob and his
    26. 

  26.   identity fingerprint are registered in tor26's approved-routers
    27. 

  27.   file, but none of the other authorities registered him. Imagine
    28. 

  28.   there are several other unregistered servers also with nickname Bob
    29. 

  29.   ("the imposters").
    30. 

  30. 

  31.   While Bob is online, all is well: a) tor26 gives a Named flag to
    32. 

  32.   the real one, and refuses to list the other ones; and b) the other
    33. 

  33.   authorities list the imposters but don't give them a Named flag. Clients
    34. 

  34.   who have all the network-statuses can compute which one is the real Bob.
    35. 

  35. 

  36.   But when the real Bob disappears and his descriptor expires? tor26
    37. 

  37.   continues to refuse to list any of the imposters, and the other
    38. 

  38.   authorities continue to list the imposters. Clients don't have any
    39. 

  39.   idea that there exists a Named Bob, so they can ask for server Bob and
    40. 

  40.   get one of the imposters. (A warning will also appear in their log,
    41. 

  41.   but so what.)
    42. 

  42. 

  43. The stopgap solution:
    44. 

  44. 

  45.   tor26 should start accepting and listing the imposters, but it should
    46. 

  46.   assign them a new flag: "Unnamed". This would produce three cases from
    47. 

  47.   the client perspective:
    48. 

  48. 

  49.   1) A unique Bob is listed as Named, and nobody lists that Bob as
    50. 

  50.   Unnamed. Clients can refer to Bob by nickname and be confident.
    51. 

  51. 

  52.   2) Every Bob is listed by some authority as Unnamed. Clients asking
    53. 

  53.   for Bob should get a warning in the log and their request should fail
    54. 

  54.   ("no such router").
    55. 

  55. 

  56.   3) At least one Bob is not listed by any authorities as Unnamed, but
    57. 

  57.   there is no unique Named Bob. In this case we do what we did before
    58. 

  58.   (currently "warn but allow it").
    59. 

  59. 

  60. Problems not solved by this stopgap:
    61. 

  61. 

  62.   If tor26 is the only authority that provides a binding for Bob, when
    63. 

  63.   tor26 goes offline we're back in our previous situation -- the imposters
    64. 

  64.   can be referenced with a mere ignorable warning in the client's log.
    65. 

  65. 

  66.   If some other authority Names a different Bob, and tor26 goes offline,
    67. 

  67.   then that other Bob becomes the unique Named Bob.
    68. 

  68. 

  69.   So be it. We should try to solve these one day, but there's no clear way
    70. 

  70.   to do it that doesn't destroy usability in other ways, and if we want
    71. 

  71.   to get the Unnamed flag into v3 network statuses we should add it soon.
    72. 

  72. 

  73. Other benefits:
    74. 

  74. 

  75.   This new flag will allow people to operate servers that happen to have
    76. 

  76.   the same nickname as somebody who registered their server two years ago
    77. 

  77.   and left soon after. Right now there are dozens of nicknames that are
    78. 

  78.   registered on all three binding directory authorities, yet haven't been
    79. 

  79.   running for years. While it's bad that these nicknames are effectively
    80. 

  80.   blacklisted from the network, the really bad part is that this logic
    81. 

  81.   is really unintuitive to prospective new server operators.
    82.