On Sun, Mar 26, 2017 at 10:39:08PM +1100, teor wrote: > Hi all, > > Most onion service users expect that there is only one valid onion > address for their private key. (For example, one address is listed in > SSL certificates.) > > I spoke with Ian, and he said that as part of validating the onion > address, we should check if it is a valid point. > > He said we need to multiply the point by L, and make sure there's no > torsion component (that is, that the result is the identity). > > This avoids the complexity of choosing a canonical point using some > lexicographic order, or the complexity of using something like decaf. > > (Hopefully, Ian will write back if I transcribed things incorrectly.)
Just to transcribe the further conversation: Yes, that's fine to make sure you're using a legitimate point, and not one that's been munged, it turns out you don't need to do even that. The reason is that the daily derived blinded point includes a hash of the onion address, so if someone changes the onion address in any way, the daily blinded version will be totally different, and the modified address won't work, *even if* the contained public key is "equivalent" to the original key. -- Ian Goldberg Professor and University Research Chair Cheriton School of Computer Science University of Waterloo _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
