mirror of
https://github.com/torproject/torspec.git
synced 2024-11-27 11:50:32 +00:00
85 lines
3.4 KiB
Plaintext
85 lines
3.4 KiB
Plaintext
|
|
How to add a v3 directory authority.
|
|
|
|
What we'll be doing:
|
|
|
|
We'll be configuring your Tor server as a v3 directory authority,
|
|
generating a v3 identity key plus certificates, and adding your v3
|
|
identity fingerprint to the list of default directory authorities.
|
|
|
|
The steps:
|
|
|
|
0) Make sure you're running ntp, and that your time is correct.
|
|
|
|
Make sure you have Tor version at least r12724. In the short term,
|
|
running a working authority may mean running the latest version of
|
|
Tor from SVN trunk. Later on, we hope that it will become easier
|
|
and you can just run a recent development release (and later still,
|
|
a recent stable release).
|
|
|
|
1) First, you'll need a certificate. Run ./src/tools/tor-gencert to
|
|
generate one.
|
|
|
|
Run tor-gencert in a separate, very secure directory. Maybe even on
|
|
a more secure computer. The first time you run it, you will need to
|
|
run it with the --create-identity-key option to make a v3 authority
|
|
identity key. Subsequent times, you can just run it as-is.
|
|
|
|
tor-gencert will make 3 files:
|
|
|
|
authority_identity_key -- THIS IS VERY SECRET AND VERY SENSITIVE.
|
|
DO NOT LEAK IT. DO NOT LOSE IT.
|
|
|
|
authority_signing_key -- A key for signing votes and v3 conensuses.
|
|
|
|
authority_certificate -- A document authenticating your signing key
|
|
with your identity-key.
|
|
|
|
You will need to rotate your signing key periodically. The current
|
|
default lifetime is 1 year. We'll probably take this down to a month or
|
|
two some time soon. To rotate your key, run tor-gencert as before,
|
|
but without the --create-identity-key option.
|
|
|
|
2) Copy authority_signing_key and authority_certificate to your Tor keys
|
|
directory.
|
|
|
|
For example if your data directory is /var/lib/tor/, you should run
|
|
cp authority_signing_key authority_certificate /var/lib/tor/keys/
|
|
|
|
You will need to repeat this every time you rotate your certificate.
|
|
|
|
3) Tell your Tor to be a v3 authority by adding these lines to your torrc:
|
|
|
|
AuthoritativeDirectory 1
|
|
V3AuthoritativeDirectory 1
|
|
|
|
4) Now your authority is generating a networkstatus opinion (called a
|
|
"vote") every period, but none of the other authorities care yet. The
|
|
next step is to get a Tor developer (likely Roger or Nick) to add
|
|
your v3 identity fingerprint to the default list of dirservers.
|
|
|
|
First, you need to learn your authority's v3 identity fingerprint.
|
|
It should be in your authority_certificate file in a line like:
|
|
|
|
fingerprint 3041632465FA8847A98B2C5742108C72325532D9
|
|
|
|
One of the Tor developers then needs to add this fingerprint to
|
|
the add_default_trusted_dirservers() function in config.c, using
|
|
the syntax "v3ident=<fingerprint>". For example, if moria1's new v3
|
|
identity fingerprint is FOO, the moria1 dirserver line should now be:
|
|
|
|
DirServer moria1 v1 orport=9001 v3ident=FOO 128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441
|
|
|
|
The v3ident item must appear after the nickname and before the IP.
|
|
|
|
5) Once your fingerprint has been added to config.c, we will try to
|
|
get a majority of v3 authorities to upgrade, so they know about you
|
|
too. At that point your vote will automatically be included in the
|
|
networkstatus consensus, and you'll be a fully-functioning contributing
|
|
v3 authority.
|
|
|
|
Note also that a majority of the configured v3 authorities need to
|
|
agree in order to generate a consensus: so this is also the point
|
|
where extended downtime on your server means missing votes.
|
|
|