Opened 6 years ago

Last modified 2 years ago

#11119 needs_information defect

Write a proposal for client-side key pinning

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-client, needs-proposal
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Proposal 220 suggests that we pin RSA and Ed25519 identity keys to one another authority-side. Roger suggested to me that we also consider doing client-side identity pinning.

Child Tickets

Change History (9)

comment:1 Changed 6 years ago by nickm

Keywords: 026-triaged-1 added

comment:2 Changed 6 years ago by nickm

Status: newneeds_information

I started writing up a proposal draft here, but I'm not currently seeing the point of it. If a client has a correct consensus, it should get the correct RSA1024<->Ed25519 mappings unless the authorities are lying. But if the authorities are lying, they can poison the clients in lots of other ways too.

Similarly, for stuff like bridges, we can export the ed25519 key in the bridge line, and we don't need to remember the RSA1024 key at all. That's probably a better idea than pinning in the first place, right?

For guards, we should remember every public key we've seen for the guard, and only connect if all the keys are good.

So, what's the value here? What's the threat model it helps for?

comment:3 Changed 6 years ago by nickm

Cc: arma added

comment:4 Changed 5 years ago by nickm

Milestone: Tor: 0.2.6.x-finalTor: 0.2.???

comment:5 Changed 4 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:6 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:7 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:8 Changed 3 years ago by nickm

Keywords: 026-triaged-1 removed

comment:9 Changed 2 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.