Hi, On 04/28/2018 06:19 AM, teor wrote: >> Or should we require the service to enable both for all clients? >> >> If you want to let the service be able to enable one while disable the >> other, do you have any opinion on how to configure the torrc? > > If someone doesn't understand client auth in detail, and just wants > to be more secure, we should give them a single option that enables > both kinds of client auth. (Security by default.) > > OnionServiceClientAuthentication 1 > (Default: 0) > > If someone knows they only want a particular client auth method, > we should give them another option that contains a list of active > client auth methods. (Describe what you have, not what you don't > have, because negatives confuse humans.) > > OnionServiceClientAuthenticationMethods intro > (Default: descriptor, intro)
Do you have any opinion on specifying the client names in your recommendation? and the list of client names in "descriptor" and "intro" should be independent. However, what i am currently think of is that we can use the existing format. HiddenServiceAuthorizeClient auth-type client-name,client-name,... But instead of allowing only two auth-types "descriptor" and "intro", we allow another type called "default" which includes both "descriptor" and "intro" So if I put an option: HiddenServiceAuthorizeClient default client-name,client-name,... It will be equivalent to two lines of: HiddenServiceAuthorizeClient descriptor client-name,client-name,... HiddenServiceAuthorizeClient intro client-name,client-name,... And on the client side, if I put an option: HidServAuth onion-address default x25519-private-key ed25519-private-key It will be equivalent to two lines of: HidServAuth onion-address descriptor x25519-private-key HidServAuth onion-address intro ed25519-private-key What do you all think? Cheers, haxxpop
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
