On 29 Oct 2017, at 01:30, George Kadianakis desnacked@riseup.net wrote:
# 220-ecc-ids-keys.txt
Is this the latest version of the ECC ID specification? Usually, our proposals are integrated into the main spec documents after they are implemented.
# 2.1
- 'The signature is formed by signing the first N-64 bytes of the
certificate prefixed with the string "Tor node signing key certificate v1".' I found this to be false; the signatures only validate without the string prefix.
Ouch... I think we should edit the spec and consider if there are any security risks here.
One security risk is that signatures on these certificates are re-usable in other contexts. For example, if two different parts of the Tor code believe signed certificates without prefixes, an adversary can take a certificate signed for one of them, and pass it to the other.
## A.1
- I realized that the certificate types here are outdated. The
signing-key extension is listed as type [04], when in rend-spec-v3.txt and the C implementation it is type [08].
Let's fix the spec here too...
This should definitely be integrated into one of the main specs.
T