123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384 |
- How to add a v3 directory authority.
- What we'll be doing:
- We'll be configuring your Tor server as a v3 directory authority,
- generating a v3 identity key plus certificates, and adding your v3
- identity fingerprint to the list of default directory authorities.
- The steps:
- 0) Make sure you're running ntp, and that your time is correct.
- Make sure you have Tor version at least r11953. In the short term,
- running a working authority may mean running the latest version of
- Tor from SVN trunk. Later on, we hope that it will become easier
- and you can just run a recent development release (and later still,
- a recent stable release).
- 1) First, you'll need a certificate. Run ./src/tools/tor-gencert to
- generate one.
- Run tor-gencert in a separate, very secure directory. The first time
- you run it, you will need to run it with the --create-identity-key
- option to make a v3 authority identity key. Subsequent times, you
- can just run it as-is.
- tor-gencert will make 3 files:
- authority_identity_key -- THIS IS VERY SECRET AND VERY SENSITIVE.
- DO NOT LEAK IT. DO NOT LOSE IT.
- authority_signing_key -- A key for signing votes and v3 conensuses.
- authority_certificate -- A document authenticating your signing key
- with your identity-key.
- You will need to rotate your signing key periodically. The current
- default lifetime is 1 year. We'll probably take this down to a month or
- two some time soon. To rotate your key, run tor-gencert as before,
- but without the --create-identity-key option.
- 2) Copy authority_signing_key and authority_certificate to your Tor keys
- directory.
- For example if your data directory is /var/lib/tor/, you should run
- cp authority_signing_key authority_certificate /var/lib/tor/keys/
- You will need to repeat this every time you rotate your certificate.
- 3) Tell your Tor to be a v3 authority by adding these lines to your torrc:
- AuthoritativeDirectory 1
- V3AuthoritativeDirectory 1
- 4) Now your authority is generating a networkstatus opinion (called a
- "vote") every period, but none of the other authorities care yet. The
- next step is to get a Tor developer (likely Roger or Nick) to add
- your v3 identity fingerprint to the default list of dirservers.
- First, you need to learn your authority's v3 identity fingerprint.
- It should be in your authority_certificate file in a line like:
- fingerprint 3041632465FA8847A98B2C5742108C72325532D9
- One of the Tor developers then needs to add this fingerprint to
- the add_default_trusted_dirservers() function in config.c, using
- the syntax "v3ident=<fingerprint>". For example, if moria1's new v3
- identity fingerprint is FOO, the moria1 dirserver line should now be:
- DirServer moria1 v1 orport=9001 v3ident=FOO 128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441
- The v3ident item must appear after the nickname and before the IP.
- 5) Once your fingerprint has been added to config.c, we will try to
- get a majority of v3 authorities to upgrade, so they know about you
- too. At that point your vote will automatically be included in the
- networkstatus consensus, and you'll be a fully-functioning contributing
- v3 authority.
- Note also that a majority of the configured v3 authorities need to
- agree in order to generate a consensus: so this is also the point
- where extended downtime on your server means missing votes.
|