-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/13 19:07, Daniel Kahn Gillmor wrote: > On 01/10/2013 12:57 PM, Michael Rogers wrote: >> It does! Is that what Tor does to avoid being blocked? Or does >> Tor just rely on self-signed certs being common enough to avoid >> attracting attention? > > Hm, i don't know enough about Tor to answer. I wouldn't have even > guessed that Tor would use client-side certificates. does it > really? I would have thought that tor's emphasis on user anonymity > would want to avoid that sort of thing.
I don't think it uses them for client-to-relay connections, but relay-to-relay connections are mutually authenticated. https://blog.torproject.org/blog/top-changes-tor-2004-design-paper-part-3 > the leak of the client credential to an eavesdropper seems like > the problem to solve; i don't think trying to make the client > certificate somehow more challenging to interpret is going to > provide the confidentiality you'd want. If you use the > double-handshake approach, it doesn't matter what the client > certificate looks like, since it will only be seen by the > legitimate peer. > > Given the above, i think facilitating the lookup by having an > explicit indicator is preferable. Good points. I agree that the double handshake's a better solution than trying to obfuscate the certificates. Can the server's OpenPGP-based certificate be converted into an ordinary-looking self-signed cert for the outer layer of the double handshake? > Thanks for the thoughtful discussion, Likewise! Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ8VymAAoJEBEET9GfxSfMJwYH/jAYY6mgj0ywqvjgCw+pM4X3 JNdHlOdCFD4iHMtIgC0f/Wm13HyNgqXQPFkaMSNvtwtybqAXJS98T4zap5kSBGHh 9El7vuBNjWgenoat8VSip4S1DfLcy2DHD0p/7unM0HaM65qc2+Ui+HVkn0fAwExI k9p25eV1s9jd5W6Lh+sDguCGui5CD0LRRVTs+/K+5rU+L/GiymztNEeI0FeDq1fC 08PX9BH8ZNi+DgnNqO6mdni9/POvDk/HbI9SdcU4AZOym7o6SijLq6mROseDEWXS oO6KKcYR2O/rdAeXf9xbIkIbrdIbuZKrl5TDLNvkJp/Bp9iGOkc9CPzAw2woF3k= =UrUm -----END PGP SIGNATURE----- _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
