Delivery-Date: Mon, 02 Mar 2015 20:04:05 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 799691E0500
	for <archiver@seul.org>; Mon,  2 Mar 2015 20:04:03 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 38C5B340B0;
	Tue,  3 Mar 2015 01:03:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8C88833FE5
 for <tor-talk@lists.torproject.org>; Tue,  3 Mar 2015 01:03:55 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id j1s65_nRWK17 for <tor-talk@lists.torproject.org>;
 Tue,  3 Mar 2015 01:03:55 +0000 (UTC)
Received: from relay.ox.registrar-servers.com (relay.ox.registrar-servers.com
 [199.188.203.174])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.registrar-servers.com",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 5B1F233FBD
 for <tor-talk@lists.torproject.org>; Tue,  3 Mar 2015 01:03:55 +0000 (UTC)
X-Greylist: delayed 400 seconds by postgrey-1.34 at eugeni;
 Tue, 03 Mar 2015 01:03:55 UTC
Received: (qmail 6907 invoked by uid 89); 3 Mar 2015 00:57:11 -0000
Received: from unknown (HELO imap1-2.ox.privateemail.com) (192.64.116.200)
 by relay.ox.registrar-servers.com with (DHE-RSA-AES256-SHA encrypted) SMTP;
 3 Mar 2015 00:57:11 -0000
Received: from localhost (localhost [127.0.0.1])
 by mail.privateemail.com (Postfix) with ESMTP id 9EF4BB0007B
 for <tor-talk@lists.torproject.org>; Mon,  2 Mar 2015 19:56:39 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at imap1.ox.privateemail.com
Received: from mail.privateemail.com ([127.0.0.1])
 by localhost (imap1.ox.privateemail.com [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id J58j5SHFj1sM for <tor-talk@lists.torproject.org>;
 Mon,  2 Mar 2015 19:56:39 -0500 (EST)
Received: from [192.168.42.162] (135-23-87-110.cpe.pppoe.ca [135.23.87.110])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.privateemail.com (Postfix) with ESMTPSA id 62EFEB00068
 for <tor-talk@lists.torproject.org>; Mon,  2 Mar 2015 19:56:39 -0500 (EST)
Message-ID: <54F506C7.6020202@adrienj.com>
Date: Mon, 02 Mar 2015 19:56:39 -0500
From: Adrien Johnson <adrienj@adrienj.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
Subject: [tor-talk] Revoking a hidden service key
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hello all,

If a hidden service operator becomes aware their hidden service private 
key has been compromised, for instance if hidden service descriptors 
signed with their private key are published that they did not create 
themselves, there should be a way for the hidden service operator to 
revoke trust in the key and prevent attackers from hijacking traffic to 
their .onion domain. I have read the current directory spec, and the 
current and proposed Rendezvous spec, but I cannot find any support for 
this.

Is hidden service revocation like that possible in the current design, 
or have I overlooked something?

If it is not currently possible, I suggest it could be implemented as a 
hidden service descriptor listing zero introductory points, and having a 
special timestamp value which should never appear in ordinary usage, 
1970-1-1 for instance. Hidden Service Directories upon receiving such a 
'revocation' descriptor should immediately discard any other descriptors 
for that hidden service and should refuse to accept any further 
descriptors for that service. Hidden service directories should retain 
such a descriptor indefinitely.

The existence of such a revocation mechanism would strengthen the idea 
of "controlling" a hidden service or .onion domain. Up until now all a 
hidden service owner could do to prove they control a hidden service was 
sign something to show they had the key. If this revocation mechanism 
existed, they would also be able to show strong evidence that they are 
the only one that possesses that key.

Does this sound like a useful feature? Does my suggested implantation 
hold water? Any comments appreciated.
-Adrien Johnson
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

