aboutsummaryrefslogtreecommitdiff
path: root/attic/v3-authority-howto.txt
diff options
context:
space:
mode:
Diffstat (limited to 'attic/v3-authority-howto.txt')
-rw-r--r--attic/v3-authority-howto.txt84
1 files changed, 84 insertions, 0 deletions
diff --git a/attic/v3-authority-howto.txt b/attic/v3-authority-howto.txt
new file mode 100644
index 0000000..e4470e8
--- /dev/null
+++ b/attic/v3-authority-howto.txt
@@ -0,0 +1,84 @@
+
+ How to add a v3 directory authority.
+
+What we'll be doing:
+
+ We'll be configuring your Tor server as a v3 directory authority,
+ generating a v3 identity key plus certificates, and adding your v3
+ identity fingerprint to the list of default directory authorities.
+
+The steps:
+
+0) Make sure you're running ntp, and that your time is correct.
+
+ Make sure you have Tor version at least r12724. In the short term,
+ running a working authority may mean running the latest version of
+ Tor from SVN trunk. Later on, we hope that it will become easier
+ and you can just run a recent development release (and later still,
+ a recent stable release).
+
+1) First, you'll need a certificate. Run ./src/tools/tor-gencert to
+ generate one.
+
+ Run tor-gencert in a separate, very secure directory. Maybe even on
+ a more secure computer. The first time you run it, you will need to
+ run it with the --create-identity-key option to make a v3 authority
+ identity key. Subsequent times, you can just run it as-is.
+
+ tor-gencert will make 3 files:
+
+ authority_identity_key -- THIS IS VERY SECRET AND VERY SENSITIVE.
+ DO NOT LEAK IT. DO NOT LOSE IT.
+
+ authority_signing_key -- A key for signing votes and v3 conensuses.
+
+ authority_certificate -- A document authenticating your signing key
+ with your identity-key.
+
+ You will need to rotate your signing key periodically. The current
+ default lifetime is 1 year. We'll probably take this down to a month or
+ two some time soon. To rotate your key, run tor-gencert as before,
+ but without the --create-identity-key option.
+
+2) Copy authority_signing_key and authority_certificate to your Tor keys
+ directory.
+
+ For example if your data directory is /var/lib/tor/, you should run
+ cp authority_signing_key authority_certificate /var/lib/tor/keys/
+
+ You will need to repeat this every time you rotate your certificate.
+
+3) Tell your Tor to be a v3 authority by adding these lines to your torrc:
+
+ AuthoritativeDirectory 1
+ V3AuthoritativeDirectory 1
+
+4) Now your authority is generating a networkstatus opinion (called a
+ "vote") every period, but none of the other authorities care yet. The
+ next step is to get a Tor developer (likely Roger or Nick) to add
+ your v3 identity fingerprint to the default list of dirservers.
+
+ First, you need to learn your authority's v3 identity fingerprint.
+ It should be in your authority_certificate file in a line like:
+
+ fingerprint 3041632465FA8847A98B2C5742108C72325532D9
+
+ One of the Tor developers then needs to add this fingerprint to
+ the add_default_trusted_dirservers() function in config.c, using
+ the syntax "v3ident=<fingerprint>". For example, if moria1's new v3
+ identity fingerprint is FOO, the moria1 dirserver line should now be:
+
+ DirServer moria1 v1 orport=9001 v3ident=FOO 128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441
+
+ The v3ident item must appear after the nickname and before the IP.
+
+5) Once your fingerprint has been added to config.c, we will try to
+ get a majority of v3 authorities to upgrade, so they know about you
+ too. At that point your vote will automatically be included in the
+ networkstatus consensus, and you'll be a fully-functioning contributing
+ v3 authority.
+
+ Note also that a majority of the configured v3 authorities need to
+ agree in order to generate a consensus: so this is also the point
+ where extended downtime on your server means missing votes.
+
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion