Opened 5 years ago

Last modified 14 months ago

#11119 needs_information defect

Write a proposal for client-side key pinning

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-client, needs-proposal
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Proposal 220 suggests that we pin RSA and Ed25519 identity keys to one another authority-side. Roger suggested to me that we also consider doing client-side identity pinning.

Child Tickets

Change History (9)

comment:1 Changed 4 years ago by nickm

Keywords: 026-triaged-1 added

comment:2 Changed 4 years ago by nickm

Status: newneeds_information

I started writing up a proposal draft here, but I'm not currently seeing the point of it. If a client has a correct consensus, it should get the correct RSA1024<->Ed25519 mappings unless the authorities are lying. But if the authorities are lying, they can poison the clients in lots of other ways too.

Similarly, for stuff like bridges, we can export the ed25519 key in the bridge line, and we don't need to remember the RSA1024 key at all. That's probably a better idea than pinning in the first place, right?

For guards, we should remember every public key we've seen for the guard, and only connect if all the keys are good.

So, what's the value here? What's the threat model it helps for?

comment:3 Changed 4 years ago by nickm

Cc: arma added

comment:4 Changed 4 years ago by nickm

Milestone: Tor: 0.2.6.x-finalTor: 0.2.???

comment:5 Changed 2 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:6 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:7 Changed 20 months ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:8 Changed 20 months ago by nickm

Keywords: 026-triaged-1 removed

comment:9 Changed 14 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.