[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tor-talk] Revoking a hidden service key



Hello all,

If a hidden service operator becomes aware their hidden service private key has been compromised, for instance if hidden service descriptors signed with their private key are published that they did not create themselves, there should be a way for the hidden service operator to revoke trust in the key and prevent attackers from hijacking traffic to their .onion domain. I have read the current directory spec, and the current and proposed Rendezvous spec, but I cannot find any support for this.

Is hidden service revocation like that possible in the current design, or have I overlooked something?

If it is not currently possible, I suggest it could be implemented as a hidden service descriptor listing zero introductory points, and having a special timestamp value which should never appear in ordinary usage, 1970-1-1 for instance. Hidden Service Directories upon receiving such a 'revocation' descriptor should immediately discard any other descriptors for that hidden service and should refuse to accept any further descriptors for that service. Hidden service directories should retain such a descriptor indefinitely.

The existence of such a revocation mechanism would strengthen the idea of "controlling" a hidden service or .onion domain. Up until now all a hidden service owner could do to prove they control a hidden service was sign something to show they had the key. If this revocation mechanism existed, they would also be able to show strong evidence that they are the only one that possesses that key.

Does this sound like a useful feature? Does my suggested implantation hold water? Any comments appreciated.
-Adrien Johnson
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk