Opened 23 months ago

Closed 5 months ago

#20522 closed defect (implemented)

Enable DISABLE_DISABLING_ED25519

Reported by: teor Owned by: nickm
Priority: Medium Milestone: Tor: 0.3.4.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-ed25519-proto, 034-triage-20180328, 034-included-20180405 fast-fix
Cc: isis Actual Points:
Parent ID: Points: 0.5
Reviewer: ahf Sponsor: SponsorZ

Description

Split from #18319

At some point, we should require relays that once had an ed25519 key associated with their RSA key to always have that key, rather than allowing them to drop back to a version that didn't support ed25519.

(This means they need to use a new RSA key to downgrade to an older version of tor without ed25519, which is consistent with the pinning in #18319.)

This means either:
1a. waiting until 0.2.5 is no longer recommended, or
1b. look at historical metrics data to see how often relays run a recent version for a while, then drop back to an older one. If the answer is "almost never" then we can just turn it on now.

To implement this change, replace #undef DISABLE_DISABLING_ED25519 with #define DISABLE_DISABLING_ED25519.

Child Tickets

Change History (21)

comment:1 Changed 23 months ago by teor

Status: newneeds_information

comment:2 Changed 21 months ago by dgoulet

Keywords: triage-out-030-201612 added
Milestone: Tor: 0.3.0.x-finalTor: 0.3.1.x-final

Triaged out on December 2016 from 030 to 031.

comment:3 Changed 19 months ago by nickm

Owner: set to nickm
Sponsor: SponsorZ
Status: needs_informationaccepted

comment:4 Changed 19 months ago by teor

How can we make sure relay operators know what's going on when this happens?
Can we warn them before it does?

For example, #21636 adds the NoEdConsensus flag to Atlas.

comment:5 Changed 19 months ago by nickm

Milestone: Tor: 0.3.1.x-finalTor: 0.3.2.x-final

comment:6 Changed 16 months ago by nickm

Keywords: triage-out-030-201612 removed

comment:7 Changed 15 months ago by isis

Cc: isis added

comment:8 Changed 13 months ago by nickm

Milestone: Tor: 0.3.2.x-finalTor: 0.3.4.x-final

The logical time to do this is when we finally deprecate 0.2.8 0.2.5 next May.

Last edited 13 months ago by nickm (previous) (diff)

comment:9 Changed 6 months ago by nickm

Keywords: 034-triage-20180328 added

comment:10 Changed 6 months ago by nickm

Keywords: 034-removed-20180328 added

Per our triage process, these tickets are pending removal from 0.3.4.

comment:11 Changed 6 months ago by nickm

Keywords: 034-included-20180405 fast-fix added; 034-removed-20180328 removed

comment:12 Changed 6 months ago by ffmancera

Status: acceptedneeds_review

I think everything is done! Check my github branch bug20522 :-)

Last edited 6 months ago by ffmancera (previous) (diff)

comment:13 Changed 6 months ago by dgoulet

Reviewer: ahf

comment:14 Changed 5 months ago by ahf

Status: needs_reviewneeds_revision

I think based on Teor's comments this patch looks good. It needs a changes file firstly though, describing the impact this may have.

comment:15 Changed 5 months ago by teor

We also need to communicate this change to relay operators. Perhaps we should open tickets to update the tor relay guide, and send out an email to tor-relays.

comment:16 Changed 5 months ago by ffmancera

Status: needs_revisionneeds_review

I think based on Teor's comments this patch looks good. It needs a changes file firstly though, describing the impact this may have.

I added the change file

We also need to communicate this change to relay operators. Perhaps we should open tickets to update the tor relay guide, and send out an email to tor-relays.

I will create the ticket but can someone send out the email?

Thanks :-)

comment:17 in reply to:  16 Changed 5 months ago by teor

Replying to ffmancera:

We also need to communicate this change to relay operators. Perhaps we should open tickets to update the tor relay guide, and send out an email to tor-relays.

I will create the ticket but can someone send out the email?

Thanks :-)

Someone can send out the email when we deploy the code to directory authorities.
moria1 will probably deploy it when it goes to master.
The other authorities will probably deploy it when it goes stable in a few months' time.

The email should tell operators that:

  1. 0.2.5 won't be supported after 1 May 2018
  2. Please upgrade to 0.2.9 or later
  3. 0.2.9 and later support ed25519 relay keys
  4. Directory authorities require relays with ed25519 keys to keep the same ed25519/RSA key pair (or change both at the same time)
  5. If your relay publishes an ed25519 key, then downgrades to a tor version without ed25519 support, directory authorities on 0.3.4 or later will drop your relay from the consensus. This is a security feature.

We should warn once when moria1 deploys, and then again when we release 0.3.4-rc.

comment:18 in reply to:  16 Changed 5 months ago by nusenu

Replying to ffmancera:

I will create the ticket

#25812

but can someone send out the email?

I can take care of that.

comment:19 Changed 5 months ago by ahf

Status: needs_reviewmerge_ready

I think this looks good to me code-wise, I saw the email had been send out. Marking this merge ready.

comment:20 Changed 5 months ago by nickm

I agree that this is merge_ready. I'll merge it once #25610 is in, to avoid conflicts.

comment:21 Changed 5 months ago by nickm

Resolution: implemented
Status: merge_readyclosed

Merged to master; no conflicts!

Note: See TracTickets for help on using tickets.