On 09/11/14 12:50, George Kadianakis wrote:
Hidden Service authorization is a pretty obscure feature of HSes, that can be quite useful for small-to-medium HSes.
Basically, it allows client access control during the introduction step. If the client doesn't prove itself, the Hidden Service will not poroceed to the rendezvous step.
This allows HS operators to block access in a lower level than the application-layer. It also prevents guard discovery attacks since the HS will not show up in the rendezvous. It's also a way for current HSes to hide their address and list of IPs from the HSDirs (we get this for free in rend-spec-ng.txt).
In the current HS implementation there are two ways to do authorization: https://gitweb.torproject.org/torspec.git/blob/HEAD:/rend-spec.txt#l768 both have different threat models.
https://gitweb.torproject.org/torspec.git/blob/HEAD:/rend-spec.txt#l936
936 "client-key" NL a public key in PEM format
A private key is what's actually generated. Not sure if it's a bug in the spec, or a bug in tor. From a quick read of the rest of it, I'm guessing the spec?
X