diff options
author | Nick Mathewson <nickm@torproject.org> | 2015-01-10 15:45:59 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2015-01-10 15:45:59 -0500 |
commit | 3c0422acc464a9da74bc35d3027ae966bf59d8d0 (patch) | |
tree | 7a9f51f01cdc20ff41608eb94eea2ef6eb267ce9 /proposals/240-auth-cert-revocation.txt | |
parent | eee061542a7d4e9b62e64bbedc4dd583fe02e583 (diff) | |
download | torspec-3c0422acc464a9da74bc35d3027ae966bf59d8d0.tar.gz torspec-3c0422acc464a9da74bc35d3027ae966bf59d8d0.zip |
Add 240, tweak 227
Diffstat (limited to 'proposals/240-auth-cert-revocation.txt')
-rw-r--r-- | proposals/240-auth-cert-revocation.txt | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/proposals/240-auth-cert-revocation.txt b/proposals/240-auth-cert-revocation.txt new file mode 100644 index 0000000..fa426ca --- /dev/null +++ b/proposals/240-auth-cert-revocation.txt @@ -0,0 +1,48 @@ +Filename: 240-auth-cert-revocation.txt +Title: Early signing key revocation for directory authorities. +Author: Nick Mathewson +Created: 09-Jan-2015 +Status: Draft + +1. Overview + + This proposal describes a simple way for directory authorities to + perform signing key revocation. + +2. Specification + + We add the following lines to the authority signing certificate + format: + + revoked-signing-key SP algname SP FINGERPRINT NL + + This line may appear zero or more times. + + It indicates that a particular not-yet-expired signing key should not + be used. + +3. Client and cache operation + + No client or cache should retain, use, or serve any certificate whose + signing key is described in a revoked-signing-key line in a + certificate with the same authority identity key. (If the signing + key fingerprint appears in a cert with a different identity key, it + has no effect: you aren't allowed to revoke other people's keys.) + + No Tor instance should download a certificate whose signing + key,identity key combination is known to be revoked. + +4. Authority operator interface. + + The 'tor-gencert' command will take a number of older certificates to + revoke as optional command-line arguments. It will include their + keys in revoked-signing-key lines only if they are still valid, or + have been expired for no more than a month. + +5. Circular revocation + + My first attempt at writing a proposal here included a lengthy + section about how to handle cases where certificate A revokes the key + of certificate B, and certificate B revokes the key of certificate A. + + Instead, I am inclined to say that this is a MUST NOT. |