From 1e074bfe15908069f1b61d4f9d95a3168e997a57 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 12 Jun 2013 21:12:35 -0400 Subject: Add three older documents removed from tor.git --- attic/v3-authority-howto.txt | 84 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 attic/v3-authority-howto.txt (limited to 'attic/v3-authority-howto.txt') diff --git a/attic/v3-authority-howto.txt b/attic/v3-authority-howto.txt new file mode 100644 index 0000000..e4470e8 --- /dev/null +++ b/attic/v3-authority-howto.txt @@ -0,0 +1,84 @@ + + How to add a v3 directory authority. + +What we'll be doing: + + We'll be configuring your Tor server as a v3 directory authority, + generating a v3 identity key plus certificates, and adding your v3 + identity fingerprint to the list of default directory authorities. + +The steps: + +0) Make sure you're running ntp, and that your time is correct. + + Make sure you have Tor version at least r12724. In the short term, + running a working authority may mean running the latest version of + Tor from SVN trunk. Later on, we hope that it will become easier + and you can just run a recent development release (and later still, + a recent stable release). + +1) First, you'll need a certificate. Run ./src/tools/tor-gencert to + generate one. + + Run tor-gencert in a separate, very secure directory. Maybe even on + a more secure computer. The first time you run it, you will need to + run it with the --create-identity-key option to make a v3 authority + identity key. Subsequent times, you can just run it as-is. + + tor-gencert will make 3 files: + + authority_identity_key -- THIS IS VERY SECRET AND VERY SENSITIVE. + DO NOT LEAK IT. DO NOT LOSE IT. + + authority_signing_key -- A key for signing votes and v3 conensuses. + + authority_certificate -- A document authenticating your signing key + with your identity-key. + + You will need to rotate your signing key periodically. The current + default lifetime is 1 year. We'll probably take this down to a month or + two some time soon. To rotate your key, run tor-gencert as before, + but without the --create-identity-key option. + +2) Copy authority_signing_key and authority_certificate to your Tor keys + directory. + + For example if your data directory is /var/lib/tor/, you should run + cp authority_signing_key authority_certificate /var/lib/tor/keys/ + + You will need to repeat this every time you rotate your certificate. + +3) Tell your Tor to be a v3 authority by adding these lines to your torrc: + + AuthoritativeDirectory 1 + V3AuthoritativeDirectory 1 + +4) Now your authority is generating a networkstatus opinion (called a + "vote") every period, but none of the other authorities care yet. The + next step is to get a Tor developer (likely Roger or Nick) to add + your v3 identity fingerprint to the default list of dirservers. + + First, you need to learn your authority's v3 identity fingerprint. + It should be in your authority_certificate file in a line like: + + fingerprint 3041632465FA8847A98B2C5742108C72325532D9 + + One of the Tor developers then needs to add this fingerprint to + the add_default_trusted_dirservers() function in config.c, using + the syntax "v3ident=". For example, if moria1's new v3 + identity fingerprint is FOO, the moria1 dirserver line should now be: + + DirServer moria1 v1 orport=9001 v3ident=FOO 128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441 + + The v3ident item must appear after the nickname and before the IP. + +5) Once your fingerprint has been added to config.c, we will try to + get a majority of v3 authorities to upgrade, so they know about you + too. At that point your vote will automatically be included in the + networkstatus consensus, and you'll be a fully-functioning contributing + v3 authority. + + Note also that a majority of the configured v3 authorities need to + agree in order to generate a consensus: so this is also the point + where extended downtime on your server means missing votes. + -- cgit v1.2.3-54-g00ecf