Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: cb4d773063
Branches Tags
tor
/
doc
/
spec
/
proposals
/
157-specific-cert-download.txt

157-specific-cert-download.txt 3.5 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. Filename: 157-specific-cert-download.txt
    2. 

  2. Title: Make certificate downloads specific
    3. 

  3. Version: $Revision$
    4. 

  4. Last-Modified: $Date$
    5. 

  5. Author: Nick Mathewson
    6. 

  6. Created: 2-Dec-2008
    7. 

  7. Status: Open
    8. 

  8. Target: 0.2.1.x
    9. 

  9. 

  10. History:
    11. 

  11. 

  12.   2008 Dec 2, 22:34
    13. 

  13.      Changed name of cross certification field to match the other authority
    14. 

  14.      certificate fields.
    15. 

  15. 

  16. Overview:
    17. 

  17. 

  18.   Tor's directory specification gives two ways to download a certificate:
    19. 

  19.   by its identity fingerprint, or by the digest of its signing key.  Both
    20. 

  20.   are error-prone.  We propose a new download mechanism to make sure that
    21. 

  21.   clients get the certificates they want.
    22. 

  22. 

  23. Motivation:
    24. 

  24. 

  25.   When a client wants a certificate to verify a consensus, it has two choices
    26. 

  26.   currently:
    27. 

  27.      - Download by identity key fingerprint.  In this case, the client risks
    28. 

  28.        getting a certificate for the same authority, but with a different
    29. 

  29.        signing key than the one used to sign the consensus.
    30. 

  30. 

  31.      - Download by signing key fingerprint.  In this case, the client risks
    32. 

  32.        getting a forged certificate that contains the right signing key
    33. 

  33.        signed with the wrong identity key.  (Since caches are willing to
    34. 

  34.        cache certs from authorities they do not themselves recognize, the
    35. 

  35.        attacker wouldn't need to compromise an authority's key to do this.)
    36. 

  36. 

  37. Current solution:
    38. 

  38. 

  39.   Clients fetch by identity keys, and re-fetch with backoff if they don't get
    40. 

  40.   certs with the signing key they want.
    41. 

  41. 

  42. Proposed solution:
    43. 

  43. 

  44.   Phase 1: Add a URL type for clients to download certs by identity _and_
    45. 

  45.   signing key fingerprint.  Unless both fields match, the client doesn't
    46. 

  46.   accept the certificate(s).  Clients begin using this method when their
    47. 

  47.   randomly chosen directory cache supports it.
    48. 

  48. 

  49.   Phase 1A: Simultaneously, add a cross-certification element to
    50. 

  50.   certificates.
    51. 

  51. 

  52.   Phase 2: Once many directory caches support phase 1, clients should prefer
    53. 

  53.   to fetch certificates using that protocol when available.
    54. 

  54. 

  55.   Phase 2A: Once all authorities are generating cross-certified certificates
    56. 

  56.   as in phase 1A, require cross-certification.
    57. 

  57. 

  58. Specification additions:
    59. 

  59. 

  60.   The key certificate whose identity key fingerprint is <F> and whose signing
    61. 

  61.   key fingerprint is <S> should be available at:
    62. 

  62. 

  63.       http://<hostname>/tor/keys/fp-sk/<F>-<S>.z
    64. 

  64. 

  65.   As usual, clients may request multiple certificates using:
    66. 

  66. 

  67.       http://<hostname>/tor/keys/fp-sk/<F1>-<S1>+<F2>-<S2>.z
    68. 

  68. 

  69.   Clients SHOULD use this format whenever they know both key fingerprints for
    70. 

  70.   a desired certificate.
    71. 

  71. 

  72. 

  73.   Certificates SHOULD contain the following field (at most once):
    74. 

  74. 

  75.   "dir-key-crosscert" NL CrossSignature NL
    76. 

  76. 

  77.   where CrossSignature is a signature, made using the certificate's signing
    78. 

  78.   key, of the digest of the PKCS1-padded hash of the certificate's identity
    79. 

  79.   key.  For backward compatibility with broken versions of the parser, we
    80. 

  80.   wrap the base64-encoded signature in -----BEGIN ID SIGNATURE---- and
    81. 

  81.   -----END ID SIGNATURE----- tags.  (See bug 880.) Implementations MUST allow
    82. 

  82.   the "ID " portion to be omitted, however.
    83. 

  83. 

  84.   When encountering a certificate with a dir-key-crosscert entry,
    85. 

  85.   implementations MUST verify that the signature is a correct signature of
    86. 

  86.   the hash of the identity key using the signing key.
    87. 

  87. 

  88.   (In a future version of this specification, dir-key-crosscert entries will
    89. 

  89.   be required.)
    90. 

  90. 

  91. Why cross-certify too?
    92. 

  92. 

  93.   Cross-certification protects clients who haven't updated yet, by reducing
    94. 

  94.   the number of caches that are willing to hold and serve bogus certificates.
    95. 

  95. 

  96. References:
    97. 

  97. 

  98.   This is related to part 2 of bug 854.
    99.