1 files changed, 83 insertions, 0 deletions

diff --git a/spec/rend-spec/hsdesc-outer.md b/spec/rend-spec/hsdesc-outer.md
new file mode 100644
index 0000000..f67fc6c
--- /dev/null
+++ b/spec/rend-spec/hsdesc-outer.md
@@ -0,0 +1,83 @@
+<a id="rend-spec-v3.txt-2.4"></a>
+
+# Hidden service descriptors: outer wrapper \[DESC-OUTER\]
+
+The format for a hidden service descriptor is as follows, using the
+meta-format from dir-spec.txt.
+
+"hs-descriptor" SP version-number NL
+
+\[At start, exactly once.\]
+
+```text
+       The version-number is a 32 bit unsigned integer indicating the version
+       of the descriptor. Current version is "3".
+
+     "descriptor-lifetime" SP LifetimeMinutes NL
+
+       [Exactly once]
+
+       The lifetime of a descriptor in minutes. An HSDir SHOULD expire the
+       hidden service descriptor at least LifetimeMinutes after it was
+       uploaded.
+
+       The LifetimeMinutes field can take values between 30 and 720 (12
+       hours).
+```
+
+<a id="descriptor-signing-key-cert"></a>
+```text
+    "descriptor-signing-key-cert" NL certificate NL
+
+       [Exactly once.]
+
+       The 'certificate' field contains a certificate in the format from
+       proposal 220, wrapped with "-----BEGIN ED25519 CERT-----".  The
+       certificate cross-certifies the short-term descriptor signing key with
+       the blinded public key.  The certificate type must be [08], and the
+       blinded public key must be present as the signing-key extension.
+```
+
+```text
+     "revision-counter" SP Integer NL
+
+       [Exactly once.]
+
+       The revision number of the descriptor. If an HSDir receives a
+       second descriptor for a key that it already has a descriptor for,
+       it should retain and serve the descriptor with the higher
+       revision-counter.
+
+       (Checking for monotonically increasing revision-counter values
+       prevents an attacker from replacing a newer descriptor signed by
+       a given key with a copy of an older version.)
+
+       Implementations MUST be able to parse 64-bit values for these
+       counters.
+```
+
+```text
+     "superencrypted" NL encrypted-string
+
+       [Exactly once.]
+
+       An encrypted blob, whose format is discussed in [HS-DESC-ENC] below. The
+       blob is base64 encoded and enclosed in -----BEGIN MESSAGE---- and
+       ----END MESSAGE---- wrappers. (The resulting document does not end with
+       a newline character.)
+```
+
+```text
+     "signature" SP signature NL
+
+       [exactly once, at end.]
+
+       A signature of all previous fields, using the signing key in the
+       descriptor-signing-key-cert line, prefixed by the string "Tor onion
+       service descriptor sig v3". We use a separate key for signing, so that
+       the hidden service host does not need to have its private blinded key
+       online.
+```
+
+HSDirs accept hidden service descriptors of up to 50k bytes (a consensus
+parameter should also be introduced to control this value).