1 files changed, 39 insertions, 5 deletions

diff --git a/dir-spec.txt b/dir-spec.txt
index 1cf3665..0de986f 100644
--- a/dir-spec.txt
+++ b/dir-spec.txt
@@ -711,7 +711,6 @@ Table of Contents
          - Any OOM invocation due to memory pressure
          - Any ntor onionskins are dropped
          - TCP port exhaustion
-         - DNS timeout reached
 
       The timestamp is when at least one metrics was detected. It should always
       be at the hour and thus, as an example, "2020-01-10 13:00:00" is an
@@ -1331,6 +1330,8 @@ Table of Contents
         is first added after the relay has been running for at least 24
         hours.
 
+        (Introduced in tor-0.4.6.1-alpha)
+
     "hidserv-rend-relayed-cells" SP NUM SP key=val SP key=val ... NL
         [At most once.]
     "hidserv-rend-v3-relayed-cells" SP NUM SP key=val SP key=val ... NL
@@ -1351,6 +1352,8 @@ Table of Contents
         integer and included as 'NUM'. Note that the overall reported
         value can be negative.
 
+        (Introduced in tor-0.4.6.1-alpha)
+
     "hidserv-dir-onions-seen" SP NUM SP key=val SP key=val ... NL
         [At most once.]
     "hidserv-dir-v3-onions-seen" SP NUM SP key=val SP key=val ... NL
@@ -1366,6 +1369,8 @@ Table of Contents
         of this line. Note that the overall reported value can be
         negative.
 
+        (Introduced in tor-0.4.6.1-alpha)
+
     "transport" transportname address:port [arglist] NL
         [Any number.]
 
@@ -2330,6 +2335,11 @@ Table of Contents
           "Fast" if the router is suitable for high-bandwidth circuits.
           "Guard" if the router is suitable for use as an entry guard.
           "HSDir" if the router is considered a v2 hidden service directory.
+          "MiddleOnly" if the router is considered unsuitable for
+             usage other than as a middle relay. Clients do not need
+             to handle this option, since when it is present, the authorities
+             will automatically vote against flags that would make the router
+             usable in other positions. (Since 0.4.7.2-alpha.)
           "NoEdConsensus" if any Ed25519 key in the router's descriptor or
              microdescriptor does not reflect authority consensus.
           "Stable" if the router is suitable for long-lived circuits.
@@ -2639,6 +2649,13 @@ Table of Contents
    authority believes that it's been up for at least 96 hours (or the current
    value of MinUptimeHidServDirectoryV2).
 
+   "MiddleOnly" -- An authority should vote for this flag if it believes
+   that a relay is unsuitable for use except as a middle relay.  When
+   voting for this flag, the authority should also vote against "Exit",
+   "Guard", "HsDir", and "V2Dir".  When voting for this flag, if the
+   authority votes on the "BadExit" flag, the authority should vote in
+   favor of "BadExit".  (This flag was added in 0.4.7.2-alpha.)
+
    "NoEdConsensus" -- authorities should not vote on this flag; it is
    produced as part of the consensus for consensus method 22 or later.
 
@@ -2958,6 +2975,13 @@ Table of Contents
           "bwweightscale" and "maxunmeasuredbw" parameters correctly when
           computing votes.
 
+        * If consensus method 32 or later is used, authorities handle the
+          "MiddleOnly" flag specially when computing a consensus.  When the
+          voters agree to include "MiddleOnly" in a routerstatus, they
+          automatically remove "Exit", "Guard", "V2Dir", and "HSDir".  If
+          the BadExit flag is included in the consensus, they automatically
+          add it to the routerstatus.
+
         * If consensus method 33 or later is used, and the consensus
           flavor is "microdesc", then the "Publication" field in the "r"
           line is set to "2038-01-01 00:00:00".
@@ -4167,10 +4191,20 @@ C. Converting a curve25519 public key to an ed25519 public key
    [Recomputing the sign bit from the private key every time sounds
    rather strange and inefficient to me… —isis]
 
-   Alternatively, without access to the corresponding ed25519 private
-   key, one may use the Montgomery u-coordinate to recover the
-   Montgomery v-coordinate by computing the right-hand side of the
-   Montgomery curve equation:
+   Note that in addition to its coordinates, an expanded Ed25519 private key
+   also has a 32-byte random value, "prefix", used to compute internal `r`
+   values in the signature.  For security, this prefix value should be
+   derived deterministically from the curve25519 key.  The Tor
+   implementation derives it as SHA512(private_key | STR)[0..32], where
+   STR is the nul-terminated string:
+
+        "Derive high part of ed25519 key from curve25519 key\0"
+
+
+   On the client side, where there is no access to the curve25519 private
+   keys, one may use the curve25519 public key's Montgomery u-coordinate to
+   recover the Montgomery v-coordinate by computing the right-hand side of
+   the Montgomery curve equation:
 
          bv^2 = u(u^2 + au +1)