Delivery-Date: Wed, 20 Jan 2016 17:00:16 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_MED,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 019501E2FCA;
	Wed, 20 Jan 2016 17:00:14 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E71A239429;
	Wed, 20 Jan 2016 22:00:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 85158393F2
 for <tor-talk@lists.torproject.org>; Wed, 20 Jan 2016 22:00:05 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Rcz74RIieL-O for <tor-talk@lists.torproject.org>;
 Wed, 20 Jan 2016 22:00:05 +0000 (UTC)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 4F51836218
 for <tor-talk@lists.torproject.org>; Wed, 20 Jan 2016 22:00:04 +0000 (UTC)
Received: from list by plane.gmane.org with local (Exim 4.69)
 (envelope-from <gno-or-talk-2@m.gmane.org>) id 1aM0nG-0003At-OI
 for tor-talk@lists.torproject.org; Wed, 20 Jan 2016 22:59:58 +0100
Received: from politkovskaja.torservers.net ([77.247.181.165])
 by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
 id 1AlnuQ-0007hv-00
 for <tor-talk@lists.torproject.org>; Wed, 20 Jan 2016 22:59:58 +0100
Received: from o.wendel by politkovskaja.torservers.net with local (Gmexim 0.1
 (Debian)) id 1AlnuQ-0007hv-00
 for <tor-talk@lists.torproject.org>; Wed, 20 Jan 2016 22:59:58 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: tor-talk@lists.torproject.org
From: Oskar Wendel <o.wendel@wp.pl>
Date: Wed, 20 Jan 2016 21:59:52 +0000 (UTC)
Lines: 68
Message-ID: <n7p00n$ia8$1@ger.gmane.org>
References: <20160116212250.GA14827@ix-293.local>
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: politkovskaja.torservers.net
Subject: Re: [tor-talk] trusting .onion services
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rejo Zenger <rejo@zenger.nl>:

> [2] OK. Not entirely true, maybe. It may be possible to include those
> key in some listing of the directory authorities marking them as bad
> nodes. This is a manual process.

There should be a possibility to automate this process. Something like...

1. HS owner realizes that his HS key has been stolen (but he still has 
his copy)

2. HS owner creates the "revocation message" for the onion address, signs 
it with his key and submits it to the DHT the same way a HS descriptor 
is uploaded

3. This revocation message, once received and confirmed that it belongs to 
the owner of the specified onion address, cannot be cancelled or undone. 
The address is marked as "bad" forever. Alternatively, to avoid cloggering 
the network, it could be marked as "bad" only for a certain amount of 
time (a year?) and during the validity period, the owner should reissue 
a new revocation message, or else it will expire

4. All relays with HSDir flag should keep in their DHT (the ones with 
hidden service descriptors) also these revocation messages

5. When client tries to download a HS descriptor from a HSDir relay, it 
will receive the descriptor, but it will also receive the revocation 
message

Now it all depends on the client:

1. Client too old to understand revocation message will ignore the message 
and connect anyway

2. Client with a default configuration will verify the signature of the HS 
revocation message and if valid, will refuse to build circuit to HS 
introduction point (and log this information)

3. Client with a special configuration flag set (IgnoreHSRevocations or 
something like that) could log the revocation message, but build circuit 
anyway, at the client owner risk

Any flaws in my idea? I see two:

1. What if Tor on HSDir relays is too old? They won't process this message 
properly. Maybe we should have a new flag for revocation message directory 
relays and use it instead?

2. What if someone tries to fill the DHT with malicious revocation 
messages? But it can also happen with normal HS descriptors...

- -- 
Oskar Wendel, o.wendel@wp.pl.REMOVE.THIS
Pubkey: https://pgp.mit.edu/pks/lookup?search=0x6690CC52318DB84C
Fingerprint: C8C4 B75C BB72 36FB 94B4 925C 6690 CC52 318D B84C
-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJWoANIAAoJEGaQzFIxjbhMX0YH/R30viK1OFRsC5NSSF40jOHG
UKItJdGKZupuARcoYwe2DoQloCxiLINPhPigjzRpY6YGzUfYw9+yu9V82MK7CDbj
FXnORHfDJjj3qereao1K98aYCrOji+11sAC/aeuuwqxqdHfzSqY0WCqwq4MCMsex
lLWghummxQ9qs96EIadUWOszQAWPnfNojNp+ylrFU4sRC364AMCxMyvrM8xG0zpu
XUUPtAfo9LEagRKcxpa+zmSvIVOd3f3X+SBIrkBRqdfm7bOizPHigPkFwhPUBoe5
9WiONqm3NBZO6Tfi+4elsNIOkUR99N4SgpLChNRRpnpc6LmIo7aKvXNhUYA3a8w=
=UBxQ
-----END PGP SIGNATURE-----

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

