diff options
author | Nick Mathewson <nickm@torproject.org> | 2008-12-12 18:31:39 +0000 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2008-12-12 18:31:39 +0000 |
commit | 868b17c1df1230474ea89ec40dcaff175fe8886a (patch) | |
tree | fd280a0bd2bbbc076954dafbd60ee2376249c886 | |
parent | 33ccec01241fd1bc6d179b1bb8b0af8897b34cd0 (diff) | |
download | torspec-868b17c1df1230474ea89ec40dcaff175fe8886a.tar.gz torspec-868b17c1df1230474ea89ec40dcaff175fe8886a.zip |
Add cross-certification to authority key certificates. Partial implementation of proposal 157.
svn:r17610
-rw-r--r-- | dir-spec.txt | 19 | ||||
-rw-r--r-- | proposals/157-specific-cert-download.txt | 5 |
2 files changed, 24 insertions, 0 deletions
diff --git a/dir-spec.txt b/dir-spec.txt index 1bd73ba..d7e393b 100644 --- a/dir-spec.txt +++ b/dir-spec.txt @@ -758,6 +758,25 @@ $Id$ The directory server's public signing key. This key MUST be at least 1024 bits, and MAY be longer. + "dir-key-crosscert" NL CrossSignature NL + + [At most once.] + + NOTE: Authorities MUST include this field in all newly generated + certificates. A future version of this specification will make + the field required. + + CrossSignature is a signature, made using the certificate's signing + key, of the digest of the PKCS1-padded hash of the certificate's + identity key. For backward compatibility with broken versions of the + parser, we wrap the base64-encoded signature in -----BEGIN ID + SIGNATURE---- and -----END ID SIGNATURE----- tags. Implementations + MUST allow the "ID " portion to be omitted, however. + + When encountering a certificate with a dir-key-crosscert entry, + implementations MUST verify that the signature is a correct signature + of the hash of the identity key using the signing key. + "dir-key-certification" NL Signature NL [At end, exactly once.] diff --git a/proposals/157-specific-cert-download.txt b/proposals/157-specific-cert-download.txt index 4687a5b..2cae13b 100644 --- a/proposals/157-specific-cert-download.txt +++ b/proposals/157-specific-cert-download.txt @@ -13,6 +13,11 @@ History: Changed name of cross certification field to match the other authority certificate fields. +Status: + + Cross-certification is implemented for new certificates, but not yet + required. + Overview: Tor's directory specification gives two ways to download a certificate: |