import the KeyManagement faq entry (cc94a9846) - tor-webwml.git

en/faq.wml

@@ -39,6 +39,11 @@ funding?</a></li>
 
 <p>Running a Tor hidden service:</p>
 
+<p>Anonymity and Security:</p>
+<ul>
+<li><a href="#KeyManagement">What are all these keys used for?</a></li>
+</ul>
+
 <hr />
 
 <a id="General"></a>
@@ -444,14 +449,54 @@ to the project, or <a href="<page contact>">contact</a> our executive
 director for information on making grants or major donations.
 </p>
 
-
 <hr />
 
-<a id="question"></a>
-<h3><a class="anchor" href="#question">Question?</a></h3>
+<a id="KeyManagement"></a>
+<h3><a class="anchor" href="#KeyManagement">What are all these keys
+used for?</a></h3>
+
+<p>
+Every Tor relay has a public decryption key (rotated once a
+week). When the Tor clients establish circuits, at each step they <a
+href="<svnsandbox>doc/design-paper/tor-design.html#subsec:circuits">demand
+that the Tor relay prove knowledge of its private key</a>. That way
+the first node in the path can't just spoof the rest of the path.
+</p>
+
+<p>
+How do clients know what the relays are, and how do they know that they
+have the right keys for them? The directory servers provide a signed list
+of all the approved relays, and in that list are a set of self-signed
+certificates from each relay, specifying their keys, locations, exit
+policies, and so on. So unless the adversary can control a directory
+server (and starting in Tor 0.1.1.x, a threshold of the directory
+servers), he can't trick the Tor client into using other Tor relays.
+</p>
+
+<p>
+How do clients know what the directory servers are? The list comes with
+the Tor distribution. It hard-codes their locations and their public
+keys. So the only way to trick the user into using a fake Tor network
+is to give them a specially modified version of the software.
+</p>
 
+<p>
+How do users know they've got the right software? When we distribute
+the source code or a package, we digitally sign it with <a
+href="http://www.gnupg.org/">GNU Privacy Guard</a>. Also see the <a
+href="https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures">instructions
+on how to check Tor's signatures</a>.
+</p>
 
+<p>
+In order to be absolutely certain that it's signed by the developers,
+you need to have met them in person and gotten a copy of their key
+fingerprint, or you need to know somebody who has. If you're concerned
+about an attack on this level, we recommend you get involved with the
+security community and start meeting people.
+</p>
 
+<hr />
 
   </div><!-- #main -->
 


...	...	@@ -39,6 +39,11 @@ funding?</a></li>
39	39
40	40	<p>Running a Tor hidden service:</p>
41	41
	42	+<p>Anonymity and Security:</p>
	43	+<ul>
	44	+<li><a href="#KeyManagement">What are all these keys used for?</a></li>
	45	+</ul>
	46	+
42	47	<hr />
43	48
44	49	<a id="General"></a>
...	...	@@ -444,14 +449,54 @@ to the project, or <a href="<page contact>">contact</a> our executive
444	449	director for information on making grants or major donations.
445	450	</p>
446	451
447		-
448	452	<hr />
449	453
450		-<a id="question"></a>
451		-<h3><a class="anchor" href="#question">Question?</a></h3>
	454	+<a id="KeyManagement"></a>
	455	+<h3><a class="anchor" href="#KeyManagement">What are all these keys
	456	+used for?</a></h3>
	457	+
	458	+<p>
	459	+Every Tor relay has a public decryption key (rotated once a
	460	+week). When the Tor clients establish circuits, at each step they <a
	461	+href="<svnsandbox>doc/design-paper/tor-design.html#subsec:circuits">demand
	462	+that the Tor relay prove knowledge of its private key</a>. That way
	463	+the first node in the path can't just spoof the rest of the path.
	464	+</p>
	465	+
	466	+<p>
	467	+How do clients know what the relays are, and how do they know that they
	468	+have the right keys for them? The directory servers provide a signed list
	469	+of all the approved relays, and in that list are a set of self-signed
	470	+certificates from each relay, specifying their keys, locations, exit
	471	+policies, and so on. So unless the adversary can control a directory
	472	+server (and starting in Tor 0.1.1.x, a threshold of the directory
	473	+servers), he can't trick the Tor client into using other Tor relays.
	474	+</p>
	475	+
	476	+<p>
	477	+How do clients know what the directory servers are? The list comes with
	478	+the Tor distribution. It hard-codes their locations and their public
	479	+keys. So the only way to trick the user into using a fake Tor network
	480	+is to give them a specially modified version of the software.
	481	+</p>
452	482
	483	+<p>
	484	+How do users know they've got the right software? When we distribute
	485	+the source code or a package, we digitally sign it with <a
	486	+href="http://www.gnupg.org/">GNU Privacy Guard</a>. Also see the <a
	487	+href="https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures">instructions
	488	+on how to check Tor's signatures</a>.
	489	+</p>
453	490
	491	+<p>
	492	+In order to be absolutely certain that it's signed by the developers,
	493	+you need to have met them in person and gotten a copy of their key
	494	+fingerprint, or you need to know somebody who has. If you're concerned
	495	+about an attack on this level, we recommend you get involved with the
	496	+security community and start meeting people.
	497	+</p>
454	498
	499	+<hr />
455	500
456	501	</div><!-- #main -->
457	502
458	503