tor-spec: Do the same extend checks as tor

Update the extend checks to match tor's implementation, particularly the comments in channel_tls_matches_target_method().
author: teor <teor@torproject.org> 2020-04-28 21:07:24 +1000
committer: teor <teor@torproject.org> 2020-04-28 21:07:24 +1000
commit: b43b9156614596e73df63be69ee439be93444802 (patch)
tree: c5c8ac12157e9abe48005558336310f785d70179 /tor-spec.txt
parent: 79fba6de64025991da4aac402d0b7f69493105d8 (diff)
download: torspec-b43b9156614596e73df63be69ee439be93444802.tar.gz
torspec-b43b9156614596e73df63be69ee439be93444802.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/tor-spec.txt b/tor-spec.txt
index 7f0256e..df0ca38 100644
--- a/tor-spec.txt
+++ b/tor-spec.txt
@@ -1378,8 +1378,10 @@ see tor-design.pdf.
        - The IP matches the requested IP.
        - The OR knows that the IP of the connection it's using is canonical
          because it was listed in the NETINFO cell.
-       - The OR knows that the IP of the connection it's using is canonical
-         because it was listed in the server descriptor.
+
+    ORs SHOULD NOT check the IPs that are listed in the server descriptor.
+    Trusting server IPs makes it easier to covertly impersonate a relay, after
+    stealing its keys.
 
 5.4. Tearing down circuits
author	teor <teor@torproject.org>	2020-04-28 21:07:24 +1000
committer	teor <teor@torproject.org>	2020-04-28 21:07:24 +1000
commit	b43b9156614596e73df63be69ee439be93444802 (patch)
tree	c5c8ac12157e9abe48005558336310f785d70179 /tor-spec.txt
parent	79fba6de64025991da4aac402d0b7f69493105d8 (diff)
download	torspec-b43b9156614596e73df63be69ee439be93444802.tar.gz torspec-b43b9156614596e73df63be69ee439be93444802.zip