Opened 5 years ago

Closed 5 years ago

#17906 closed defect (implemented)

Dannenberg's v3ident needs to change

Reported by: atagar Owned by:
Priority: Very High Milestone: Tor: 0.2.8.x-final
Component: Core Tor/Tor Version:
Severity: Major Keywords: 027-backport, 026-backport, 025-backport, 024-backport, TorCoreTeam201601, 201512-deferred
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Hi Nick. On #17668 I mentioned that Dannenberg's v3ident has changed and this needs to be updated in config.c. Trivial change, but this should be corrected soonish since due to it Dannenberg isn't taking part in the consensus...

from stem.descriptor import DocumentHandler
from stem.descriptor.remote import DescriptorDownloader

downloader = DescriptorDownloader()

print("Consensus is signed by...\n")

query = downloader.get_consensus(document_handler = DocumentHandler.BARE_DOCUMENT)

for authority in[0].directory_authorities:
  print(' * %s with the v3ident of %s' % (authority.nickname, authority.v3ident))
% python 
Consensus is signed by...

 * tor26 with the v3ident of 14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4
 * longclaw with the v3ident of 23D15D965BC35114467363C165C4F724B64B4F66
 * maatuska with the v3ident of 49015F787433103580E3B66A1707A00E60F2D15B
 * urras with the v3ident of 80550987E1D626E3EBA5E5E75A458DE0626D088C
 * moria1 with the v3ident of D586D18309DED4CD6D57C18FDB97EFA96D330566
 * dizum with the v3ident of E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58
 * gabelmoo with the v3ident of ED03BB616EB2F60BEC80151114BB25CEF515B226
 * Faravahar with the v3ident of EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97

Again, trivial change. Andreas sent a signed email to dir-auth@ on November 18...

Hash: SHA256


The new v3ident for dannenberg is

Comment: Someone you trust is one of us.


Child Tickets

Change History (12)

comment:1 Changed 5 years ago by teor

Keywords: 027-backport 026-backport TorCoreTeam201512 added
Milestone: Tor: 0.2.8.x-final
Status: newneeds_review

Please see my branch dannenberg-id-201511 at

I based this commit on maint-0.2.6 so we could backport it.

Please note that we've added authority IPv6 addresses to master in 60fc2b2539, and gabelmoo's IPv6 address falls within the context for this commit. If there are conflicts, please preserve dannenberg's new key and gabelmoo's IPv6 address in the merge.

comment:2 Changed 5 years ago by nickm

Is Dannenberg using the V3AuthUseLegacyKey option? It really should, assuming the admin still has access to the old keys too.

Also, ISTR that things can go badly when we change authority identities and the authorities don't agree about which authorities vote; I think we need to make sure that the authorities all get the new list of authorities around the same time. They can do this with the DirAuthority option, if they all set the same list of DirAuthority entries. They should ideally all do this within the same day, or they will not agree on what the consensus is.

comment:3 Changed 5 years ago by arma

I had indeed thought that dannenberg is using the legacy key option, so it should be voting with its old key too. Is it not? Did it ever?

comment:4 Changed 5 years ago by arma

Answer: the legacy key thing makes you *sign* with your legacy key, but you vote with only one key, your main one. So if nobody else thinks that's a legit key, then they ignore your vote, so the consensus that you sign (with both keys) is the wrong one.

So yes, we need to do a coordinated shift of a high enough threshold of the authorities that we'll get a consensus afterwards too.

comment:5 Changed 5 years ago by nickm

Keywords: TorCoreTeam201601 201512-deferred added; TorCoreTeam201512 removed

Perhaps in January?

comment:6 Changed 5 years ago by arma

I suggest we do it in three stages:

Stage one: dannenberg, Faravahar, dizum switch, whenever they want, starting anytime (now would be good).

Stage two: we do a coordinated switch where at least three of {maatuska, longclaw, gabelmoo, moria1} switch in the same hour -- that way we have enough bwauths at all points, and also enough badexiters.

Stage three: tor26, urras, and whoever we didn't get from stage two switch at their leisure.

comment:7 Changed 5 years ago by teor

Status update:

  • all authorities except moria1 have switched to dannenberg's new key
    • arma is on it
  • The consensus has a vote for dannenberg (new) and signatures for dannenberg and dannenberg-legacy
    • Since this is the first time we've used this feature, have we checked that clients are accepting the legacy signature?
  • Stem has changed to dannenberg's new key
  • Tor can change to dannenberg's new key by merging the branch dannenberg-id-201511 at ​
    • This branch is based on maint-0.2.6
    • The merge to master may conflict with the IPv6 addresses in commit 60fc2b2539, please ensure all IPv6 addresses and the new key are preserved by the merge

comment:8 Changed 5 years ago by arma

moria1 has updated too.

Also, we did use the legacy key feature before -- we built it because of the debian rng bug, when we needed to rotate a pile of dir auth keys suddenly.

I agree that merging into 0.2.6-and-later rsn is wise.

comment:9 Changed 5 years ago by nickm

Priority: HighVery High

comment:10 Changed 5 years ago by nickm

Keywords: 025-backport 024-backport added

comment:11 Changed 5 years ago by nickm

I'll take care of backporting to all non-dead versions.

comment:12 Changed 5 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

11f63d26acb8ca872d894fb1423b380dc1f8dc2e is my backport of this to 0.2.4, merged forward through master.

9ca329581af71c9aa6890b63c29c6a51ac37e408 is the nontrivial merge of that into 0.2.5.

b34c5c6b8ac0d13d5e2bda188ff038f6ff7eb4f3 is the nontrivial merge of that into 0.2.7.

Please let me know ASAP if I messed this up.

Note: See TracTickets for help on using tickets.