Drop --disable-curve25519 ?

We added curve25519 back in 0.2.4. It's proven pretty safe and reliable since then, and I think we'd agree that it's much more cryptographically secure than RSA-1024/DH-1024 TAP.

Is there any reason to keep the ability to disable curve25519 support?

changed milestone to %Tor: 0.2.6.x-final

added component::core tor/tor milestone::Tor: 0.2.6.x-final priority::medium resolution::implemented status::closed tor-relay type::enhancement labels

Sounds good to me.

That said, there were people who are scared of ECC and still want to use TAP. Does dropping the ability to disable curve25519 support imply dropping the ability to ask Tor to use TAP?

I guess we could add an option to make Tor clients not use ntor circuit-extension handshakes? I wouldn't expect it to get much more testing than --disable-curve25519, though.

Fundamentally, I don't think these people are asking for a reasonable thing. TAP-1024 (if I may coin a usage) is just not a cryptographicly good option IMO. OTOH, a "TAP-4096" would be really slow, and probably not a great usage of our time to implement.

So the answer is "right now, the only way to use tap rather than ntor is to compile your Tor yourself, using this funky configure option"?

And removing the --disable-curve25519 option would let us rip out the TAP client-side?

Sounds good to me.

If we were extra-conscientious, we would send a short note somewhere telling people that it's happening, so we can be more transparent about these decisions. But I'm not sure there is a good venue for such short notes anymore -- tor-talk used to be it but now it's too full.

And removing the --disable-curve25519 option would let us rip out the TAP client-side?

Well, we can only rip out TAP client-side once every server supports ntor. Right now, servers that were built with --disable-curve25519 don't provide ntor; and servers running 0.2.3 don't provide ntor.

We could make curve25519 a requirement for servers dirauth-side much earlier before they naturally die out, which might make sense here.

In fact, we should just write a script now to see how many servers are on a version past 0.2.3 and don't have curve25519

Good idea -- we should work towards having no relays in the network that set --disable-curve25519.

Should we drop 0.2.4 without ntor before we drop 0.2.3? It doesn't seem any worse.

(I agree that we should see if there are significant numbers of routers on >=0.2.4 without ntor, so we can contact them to ask what's up.)

Please see branch bug13286 in my repo for an implementation to drop the configure option in 0.2.6

Trac:
Status: new to needs_review

lgtm; merged!

Trac:
Resolution: N/A to implemented
Status: needs_review to closed

closed

moved to tpo/core/tor#13286 (closed)