aboutsummaryrefslogtreecommitdiff
path: root/proposals
diff options
context:
space:
mode:
Diffstat (limited to 'proposals')
-rw-r--r--proposals/000-index.txt6
-rw-r--r--proposals/245-tap-out.txt3
-rw-r--r--proposals/350-remove-tap.md189
-rw-r--r--proposals/BY_INDEX.md3
-rw-r--r--proposals/BY_STATUS.md3
-rw-r--r--proposals/SUMMARY.md3
6 files changed, 201 insertions, 6 deletions
diff --git a/proposals/000-index.txt b/proposals/000-index.txt
index 7e37484..0860c88 100644
--- a/proposals/000-index.txt
+++ b/proposals/000-index.txt
@@ -166,7 +166,7 @@ Proposals by number:
242 Better performance and usability for the MyFamily option [SUPERSEDED]
243 Give out HSDir flag only to relays with Stable flag [CLOSED]
244 Use RFC5705 Key Exporting in our AUTHENTICATE calls [CLOSED]
-245 Deprecating and removing the TAP circuit extension protocol [NEEDS-REVISION]
+245 Deprecating and removing the TAP circuit extension protocol [SUPERSEDED]
246 Merging Hidden Service Directories and Introduction Points [REJECTED]
247 Defending Against Guard Discovery Attacks using Vanguards [SUPERSEDED]
248 Remove all RSA identity keys [NEEDS-REVISION]
@@ -271,6 +271,7 @@ Proposals by number:
347 Domain separation for certificate signing keys [OPEN]
348 UDP Application Support in Tor [OPEN]
349 Client-Side Command Acceptance Validation [DRAFT]
+350 A phased plan to remove TAP onion keys [OPEN]
Proposals by status:
@@ -284,7 +285,6 @@ Proposals by status:
NEEDS-REVISION:
212 Increase Acceptable Consensus Age [for 0.2.4.x+]
219 Support for full DNS and DNSSEC resolution in Tor [for 0.2.5.x]
- 245 Deprecating and removing the TAP circuit extension protocol
248 Remove all RSA identity keys
269 Transitionally secure hybrid handshakes
279 A Name System API for Tor Onion Services
@@ -311,6 +311,7 @@ Proposals by status:
346 Clarifying and extending the use of protocol versioning
347 Domain separation for certificate signing keys
348 UDP Application Support in Tor
+ 350 A phased plan to remove TAP onion keys
ACCEPTED:
282 Remove "Named" and "Unnamed" handling from consensus voting [for arti-dirauth]
285 Directory documents should be standardized as UTF-8 [for arti-dirauth]
@@ -462,6 +463,7 @@ Proposals by status:
210 Faster Headless Consensus Bootstrapping
225 Strawman proposal: commit-and-reveal shared rng
242 Better performance and usability for the MyFamily option
+ 245 Deprecating and removing the TAP circuit extension protocol
247 Defending Against Guard Discovery Attacks using Vanguards
249 Allow CREATE cells with >505 bytes of handshake data
252 Single Onion Services
diff --git a/proposals/245-tap-out.txt b/proposals/245-tap-out.txt
index 6edc3f9..ec5a7ff 100644
--- a/proposals/245-tap-out.txt
+++ b/proposals/245-tap-out.txt
@@ -3,7 +3,8 @@ Filename: 245-tap-out.txt
Title: Deprecating and removing the TAP circuit extension protocol
Author: Nick Mathewson
Created: 2015-06-02
-Status: Needs-Revision
+Status: Superseded
+Superseded-by: 350
0. Introduction
diff --git a/proposals/350-remove-tap.md b/proposals/350-remove-tap.md
new file mode 100644
index 0000000..7fa83bd
--- /dev/null
+++ b/proposals/350-remove-tap.md
@@ -0,0 +1,189 @@
+```
+Filename: 350-remove-tap.md
+Title: A phased plan to remove TAP onion keys
+Author: Nick Mathewson
+Created: 31 May 2024
+Status: Open
+```
+
+## Introduction
+
+Back in [proposal 216], we introduced the `ntor` circuit extension handshake.
+It replaced the older `TAP` handshake, which was badly designed,
+and dependent on insecure key lengths (RSA1024, DH1024).
+
+With the [final shutdown of v2 onion services][hsv2-deprecation],
+there are no longer any supported users of TAP anywhere in the Tor protocols.
+Anecdotally, a relay operator reports that fewer than
+one handshake in 300,000 is currently TAP.
+(Such handshakes are presumably coming from long-obsolete clients.)
+
+Nonetheless, we continue to bear burdens from TAP support.
+For example:
+ - TAP keys compose a significant (but useless!) portion
+ of directory traffic.
+ - The TAP handshake requires cryptographic primitives
+ used nowhere else in the Tor protocols.
+
+Now that we are implementing [relays in Arti],
+the time is ripe to remove TAP.
+(The only alternative is to add a useless TAP implementation in Arti,
+which would be a waste of time.)
+
+This document outlines a plan to completely remove the TAP handshake,
+and its associated keys, from the Tor protocols.
+
+This is, in some respects, a modernized version of [proposal 245].
+
+## Migration plan
+
+Here is the plan in summary;
+we'll discuss each phase below.
+
+- Phase 1: Remove TAP dependencies
+ - Item 1: Stop accepting TAP circuit requests.
+ - Item 2: Make TAP keys optional in directory documents.
+ - Item 3: Publish dummy TAP keys.
+- Phase 2: After everybody has updated
+ - Item 1: Allow TAP-free routerdescs at the authorities
+ - Item 2: Generate TAP-free microdescriptors
+- Phase 3: Stop publishing dummy TAP keys.
+
+Phase 1 can begin immediately.
+
+Phase 2 can begin once all supported clients and relays have upgraded
+to run versions with the changes made in Phase 1.
+
+Phase 3 can begin once all authorities have made the changes
+described in phase 2.
+
+
+### Phase 1, Item 1: Stop accepting TAP circuit requests.
+
+(All items in phase 1 can happen in parallel.)
+
+Immediately, Tor relays should stop accepting TAP requests.
+This includes all CREATE cells (not CREATE2),
+and any CREATE2 cell whose type is TAP (0x0000).
+
+When receiving such a request,
+relays should respond with DESTROY.
+Relays MAY just drop the request entirely, however,
+if they find that they are getting too many requests.
+
+Such relays must stop reporting `Relay=1`
+among their supported protocol versions.
+(This protocol version is not currently required or recommended.)
+
+> If this proposal is accepted,
+> we should clarify the protocol version specification
+> to say that `Relay=1` specifically denotes TAP.
+
+
+### Phase 1, Item 2: Make TAP keys optional in directory documents.
+
+(All items in phase 1 can happen in parallel.)
+
+In C tor and Arti, we should make the `onion-key` entry
+and the `onion-key-crosscert` entry optional.
+(If either is present, the other still must be present.)
+
+When we do this, we should also modify the authority code
+to reject any descriptors that do not have these fields.
+(This will be needed so that existing Tor instances do not break.)
+
+In the microdescriptor documents format, we should make
+the _object_ of the `onion-key` element optional.
+(We do not want to make the element itself optional,
+since it is used to delimit microdescriptors.)
+
+We use new protocol version flags (Desc=X, Routerdesc=Y)
+to note the ability to parse these documents.
+
+### Phase 1, Item 3: Publish dummy TAP keys
+
+(All items in phase 1 can happen in parallel.)
+
+Even after step 2 is done,
+many clients and relays on the network
+will still require TAP keys to be present in directory documents.
+Therefore, we can't remove those keys right away.
+
+Relays, therefore, must put _some_ kind of RSA key
+into their `onion-key` field.
+
+I'll present three designs on what relays should do.
+We should pick one.
+
+> #### Option 1 (conservative)
+>
+> Maybe, we should say that a relay
+> should generate a TAP key, generate an onion-key-crosscert,
+> and then discard the private component of the key.
+
+> #### Option 2 (low-effort)
+>
+> In C tor, we can have relays simply proceed as they do now,
+> maintaining TAP private keys and generating crosscerts.
+>
+> This has little real risk beyond what is described in Option 1.
+
+> #### Option 3 (nutty)
+>
+> We _could_ generate a global, shared RSA1024 private key,
+> to be used only for generating onion-key-crosscerts
+> and placing into the onion-key field of a descriptor.
+>
+> We would say that relays publishing this key MUST NOT
+> actually handle any TAP requests.
+>
+> The advantage of this approach over Option 1
+> would be that we'd see gains in our directory traffic
+> immediately, since all identical onion keys would be
+> highly compressible.
+>
+> The downside here is that any client TAP requests
+> sent to such a relay would be decryptable by anybody,
+> which would expose long-obsolete clients to MITM attacks
+> by hostile guards.
+
+We would control the presence of these dummy TAP keys
+using a consensus parameter:
+
+`publish-dummy-tap-key` — If set to 1, relays should include a dummy TAP key
+in their routerdescs. If set to 0, relays should omit the TAP key
+and corresponding crosscert. (Min: 0, Max, 1, Default: 0.)
+
+We would want to ensure that all authorities voted for this parameter as "1"
+before enabling support for it at the relay level.
+
+
+### Phase 2, Item 1: Allow TAP-free routerdescs at the authorities
+
+Once all clients and relays have updated to a version
+where the `onion-key` router descriptor element is optional
+(see phase 1, item 2),
+we can remove the authority code that requires
+all descriptors to have TAP keys.
+
+### Phase 2, Item 2: Generate TAP-free microdescriptors
+
+Once all clients and descriptors have updated to a version
+where the `onion-key` body is optional in microdescriptors
+(see phase 1, item 2),
+we can add a new consensus method
+in which authorities omit the body when generating microdescriptors.
+
+### Phase 3: Stop publishing dummy TAP keys.
+
+Once all authorities have stopped requiring
+the `onion-key` element in router descriptors
+(see phase 2, item 1),
+we can disable the `publish-dummy-tap-key` consensus parameter,
+so that relays will no longer include TAP keys in their router descriptors.
+
+
+[proposal 216]: ./216-ntor-handshake.txt
+[proposal 245]: ./245-tap-out.txt
+[hsv2-deprecation]: https://support.torproject.org/onionservices/v2-deprecation/
+[relays in Arti]: https://gitlab.torproject.org/tpo/team/-/wikis/Sponsor%20141
diff --git a/proposals/BY_INDEX.md b/proposals/BY_INDEX.md
index 96e52b0..8d9380a 100644
--- a/proposals/BY_INDEX.md
+++ b/proposals/BY_INDEX.md
@@ -162,7 +162,7 @@ Below are a list of proposals sorted by their proposal number. See
* [`242-better-families.txt`](/proposals/242-better-families.txt): Better performance and usability for the MyFamily option \[SUPERSEDED\]
* [`243-hsdir-flag-need-stable.txt`](/proposals/243-hsdir-flag-need-stable.txt): Give out HSDir flag only to relays with Stable flag \[CLOSED\]
* [`244-use-rfc5705-for-tls-binding.txt`](/proposals/244-use-rfc5705-for-tls-binding.txt): Use RFC5705 Key Exporting in our AUTHENTICATE calls \[CLOSED\]
-* [`245-tap-out.txt`](/proposals/245-tap-out.txt): Deprecating and removing the TAP circuit extension protocol \[NEEDS-REVISION\]
+* [`245-tap-out.txt`](/proposals/245-tap-out.txt): Deprecating and removing the TAP circuit extension protocol \[SUPERSEDED\]
* [`246-merge-hsdir-and-intro.txt`](/proposals/246-merge-hsdir-and-intro.txt): Merging Hidden Service Directories and Introduction Points \[REJECTED\]
* [`247-hs-guard-discovery.txt`](/proposals/247-hs-guard-discovery.txt): Defending Against Guard Discovery Attacks using Vanguards \[SUPERSEDED\]
* [`248-removing-rsa-identities.txt`](/proposals/248-removing-rsa-identities.txt): Remove all RSA identity keys \[NEEDS-REVISION\]
@@ -267,4 +267,5 @@ Below are a list of proposals sorted by their proposal number. See
* [`347-domain-separation.md`](/proposals/347-domain-separation.md): Domain separation for certificate signing keys \[OPEN\]
* [`348-udp-app-support.md`](/proposals/348-udp-app-support.md): UDP Application Support in Tor \[OPEN\]
* [`349-command-state-validation.md`](/proposals/349-command-state-validation.md): Client-Side Command Acceptance Validation \[DRAFT\]
+* [`350-remove-tap.md`](/proposals/350-remove-tap.md): A phased plan to remove TAP onion keys \[OPEN\]
diff --git a/proposals/BY_STATUS.md b/proposals/BY_STATUS.md
index 84345ac..2455afe 100644
--- a/proposals/BY_STATUS.md
+++ b/proposals/BY_STATUS.md
@@ -41,6 +41,7 @@ for discussion.
* [`346-protovers-again.md`](/proposals/346-protovers-again.md): Clarifying and extending the use of protocol versioning
* [`347-domain-separation.md`](/proposals/347-domain-separation.md): Domain separation for certificate signing keys
* [`348-udp-app-support.md`](/proposals/348-udp-app-support.md): UDP Application Support in Tor
+* [`350-remove-tap.md`](/proposals/350-remove-tap.md): A phased plan to remove TAP onion keys
## ACCEPTED proposals: slated for implementation
@@ -113,7 +114,6 @@ certain changes.
* [`212-using-old-consensus.txt`](/proposals/212-using-old-consensus.txt): Increase Acceptable Consensus Age
* [`219-expanded-dns.txt`](/proposals/219-expanded-dns.txt): Support for full DNS and DNSSEC resolution in Tor
-* [`245-tap-out.txt`](/proposals/245-tap-out.txt): Deprecating and removing the TAP circuit extension protocol
* [`248-removing-rsa-identities.txt`](/proposals/248-removing-rsa-identities.txt): Remove all RSA identity keys
* [`269-hybrid-handshake.txt`](/proposals/269-hybrid-handshake.txt): Transitionally secure hybrid handshakes
* [`279-naming-layer-api.txt`](/proposals/279-naming-layer-api.txt): A Name System API for Tor Onion Services
@@ -297,6 +297,7 @@ implemented.
* [`210-faster-headless-consensus-bootstrap.txt`](/proposals/210-faster-headless-consensus-bootstrap.txt): Faster Headless Consensus Bootstrapping
* [`225-strawman-shared-rand.txt`](/proposals/225-strawman-shared-rand.txt): Strawman proposal: commit-and-reveal shared rng
* [`242-better-families.txt`](/proposals/242-better-families.txt): Better performance and usability for the MyFamily option
+* [`245-tap-out.txt`](/proposals/245-tap-out.txt): Deprecating and removing the TAP circuit extension protocol
* [`247-hs-guard-discovery.txt`](/proposals/247-hs-guard-discovery.txt): Defending Against Guard Discovery Attacks using Vanguards
* [`249-large-create-cells.txt`](/proposals/249-large-create-cells.txt): Allow CREATE cells with >505 bytes of handshake data
* [`252-single-onion.txt`](/proposals/252-single-onion.txt): Single Onion Services
diff --git a/proposals/SUMMARY.md b/proposals/SUMMARY.md
index 09e1270..477002b 100644
--- a/proposals/SUMMARY.md
+++ b/proposals/SUMMARY.md
@@ -155,7 +155,7 @@
- [`242-better-families`](./242-better-families.txt): Better performance and usability for the MyFamily option (SUPERSEDED)
- [`243-hsdir-flag-need-stable`](./243-hsdir-flag-need-stable.txt): Give out HSDir flag only to relays with Stable flag (CLOSED)
- [`244-use-rfc5705-for-tls-binding`](./244-use-rfc5705-for-tls-binding.txt): Use RFC5705 Key Exporting in our AUTHENTICATE calls (CLOSED)
- - [`245-tap-out`](./245-tap-out.txt): Deprecating and removing the TAP circuit extension protocol (NEEDS-REVISION)
+ - [`245-tap-out`](./245-tap-out.txt): Deprecating and removing the TAP circuit extension protocol (SUPERSEDED)
- [`246-merge-hsdir-and-intro`](./246-merge-hsdir-and-intro.txt): Merging Hidden Service Directories and Introduction Points (REJECTED)
- [`247-hs-guard-discovery`](./247-hs-guard-discovery.txt): Defending Against Guard Discovery Attacks using Vanguards (SUPERSEDED)
- [`248-removing-rsa-identities`](./248-removing-rsa-identities.txt): Remove all RSA identity keys (NEEDS-REVISION)
@@ -260,6 +260,7 @@
- [`347-domain-separation`](./347-domain-separation.md): Domain separation for certificate signing keys (OPEN)
- [`348-udp-app-support`](./348-udp-app-support.md): UDP Application Support in Tor (OPEN)
- [`349-command-state-validation`](./349-command-state-validation.md): Client-Side Command Acceptance Validation (DRAFT)
+ - [`350-remove-tap`](./350-remove-tap.md): A phased plan to remove TAP onion keys (OPEN)
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion