On 01/20/2016 03:29 PM, Oskar Wendel wrote: <snipped many great thoughts about revoking HS descriptors via HSDirs>
> What do you all think? I agree that HSDirs are the places to handle this. The network already trusts them not to MitM connections, and send users to malicious HS, right? And I presume that there is testing for dishonest HSDirs. If not, there should be. It would be safest, I think, to simply delete HS descriptors upon receipt of a valid revocation message, signed by the private key. As long as operators backup private keys, they can always revoke them. It's true that adversaries could revoke HS descriptors after stealing private keys. However, having the site unreachable is arguably the safest outcome after key compromise. Private HS keys are often vulnerable, virtually unprotected in remote hosts. So it's risky to rely on them alone for verifying revocation messages. However, one could add the option of supplying public GnuPG keys to HSDirs, signed by HS keys. There could be a time limit on that, so that it won't become an attack vector. Then HSDirs would require revocation messages signed by both private HS and GnuPG keys. It would also be necessary to propagate signed revocation messages among HSDirs. Each HSDir would check signatures. There's still the risk that malicious HSDirs would ignore revocation messages. That would require checking by peers. Sane? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
