From aa68b6c62fd57157bf111c96ed45fb8c539e865a Mon Sep 17 00:00:00 2001 From: Gabriela Moldovan Date: Mon, 5 Jun 2023 19:52:30 +0100 Subject: rend-spec: Document directory behaviour for handling descriptor uploads. This adds a paragraph describing the checks hidden service directories are supposed to perform before accepting a descriptor upload. Signed-off-by: Gabriela Moldovan --- rend-spec-v3.txt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'rend-spec-v3.txt') diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index 53880db..bbe7b91 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -995,6 +995,28 @@ Table of contents: Consider that the service is at 01:00 right after SRV#2: it will upload its second descriptor using TP#2 and SRV#2. +2.2.4.3. Directory behavior for handling descriptor uploads [DIRUPLOAD] + + Upon receiving a hidden service descriptor publish request, directories MUST + check the following: + + * The outer wrapper of the descriptor can be parsed according to + [DESC-OUTER] + * The version-number of the descriptor is "3" + * If the directory has already cached a descriptor for this hidden service, + the revision-counter of the uploaded descriptor must be greater than the + revision-counter of the cached one + * The descriptor signature is valid + + If any of these basic validity checks fails, the directory MUST reject the + descriptor upload. + + NOTE: Even if the descriptor passes the checks above, its first and second + layers could still be invalid: directories cannot validate the encrypted + layers of the descriptor, as they do not have access to the public key of the + service (required for decrypting the first layer of encryption), or the + necessary client credentials (for decrypting the second layer). + 2.2.5. Expiring hidden service descriptors [EXPIRE-DESC] Hidden services set their descriptor's "descriptor-lifetime" field to 180 -- cgit v1.2.3-54-g00ecf