rend-spec: Document directory behaviour for handling descriptor uploads.

This adds a paragraph describing the checks hidden service directories
are supposed to perform before accepting a descriptor upload.

Signed-off-by: Gabriela Moldovan <gabi@torproject.org>

1 files changed, 22 insertions, 0 deletions

diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt
index 53880db..bbe7b91 100644
--- a/rend-spec-v3.txt
+++ b/rend-spec-v3.txt
@@ -995,6 +995,28 @@ Table of contents:
    Consider that the service is at 01:00 right after SRV#2: it will upload its
    second descriptor using TP#2 and SRV#2.
 
+2.2.4.3. Directory behavior for handling descriptor uploads [DIRUPLOAD]
+
+   Upon receiving a hidden service descriptor publish request, directories MUST
+   check the following:
+
+     * The outer wrapper of the descriptor can be parsed according to
+       [DESC-OUTER]
+     * The version-number of the descriptor is "3"
+     * If the directory has already cached a descriptor for this hidden service,
+       the revision-counter of the uploaded descriptor must be greater than the
+       revision-counter of the cached one
+     * The descriptor signature is valid
+
+   If any of these basic validity checks fails, the directory MUST reject the
+   descriptor upload.
+
+   NOTE: Even if the descriptor passes the checks above, its first and second
+   layers could still be invalid: directories cannot validate the encrypted
+   layers of the descriptor, as they do not have access to the public key of the
+   service (required for decrypting the first layer of encryption), or the
+   necessary client credentials (for decrypting the second layer).
+
 2.2.5. Expiring hidden service descriptors [EXPIRE-DESC]
 
    Hidden services set their descriptor's "descriptor-lifetime" field to 180