2 Title: Proposals that should be written
5 Author: Nick Mathewson, Roger Dingledine
11 This document lists ideas that various people have had for improving the
12 Tor protocol. These should be implemented and specified if they're
13 trivial, or written up as proposals if they're not.
15 This is an active document, to be edited as proposals are written and as
16 we come up with new ideas for proposals. We should take stuff out as it
20 For some later protool version.
22 - Fix onionskin handshake scheme to be more mainstream, less nutty.
24 E(HMAC(g^x), g^x) rather than just E(g^x) ?
25 No, that has the same flaws as before. We should send
26 E(g^x, C) with random C and expect g^y, HMAC_C(K=g^xy).
27 Better ask Ian; probably Stephen too.
28 - Versioned CREATE and friends
29 - Length on CREATE and friends
30 - Versioning on circuits
31 - Versioning on create cells
32 - SHA1 is showing its age
33 - Not being able to upgrade ciphersuites or increase key lengths is
35 - Paul has some ideas about circuit creation; read his PET paper once it's
37 - Allow more TLS ciphersuites.
41 - Some ideas for revising the directory protocol:
42 - Should we also look into a "delta since last network-status
43 checkpoint" scheme, to reduce overhead further?
44 - Extend the "r" line in network-status to give a set of buckets (say,
45 comma-separated) for that router.
46 - Buckets are deterministic based on IP address.
47 - Then clients can choose a bucket (or set of buckets) to
49 - We need a way for the authorities to declare that nodes are in a
50 family. Also, it kinda sucks that family declarations use O(N^2) space
52 - REASON_CONNECTFAILED should include an IP.
53 - Spec should incorporate some prose from tor-design to be more readable.
54 - Spec when we should rotate which keys
55 - Spec how to publish descriptors less often
56 - Describe pros and cons of non-deterministic path lengths
57 - get rid of the Named flag, or automate it at the dir auth end,
58 or automate it at the client end, or something.
60 - We should use a variable-length path length by default -- 3 +/- some
61 distribution. Need to think harder about allowing values less than 3,
62 and there's a tradeoff between having a wide variance and performance.
64 Things that should change...
66 B.1. ... but which will require backward-incompatible change
68 - Circuit IDs should be longer.
70 - Maybe, keys should be longer.
71 - Maybe, key-length should be adjustable. How to do this without
72 making anonymity suck?
73 - Drop backward compatibility.
74 - We should use a 128-bit subgroup of our DH prime.
75 - Handshake should use HMAC.
76 - Multiple cell lengths.
77 - Ability to split circuits across paths (If this is useful.)
78 - SENDME windows should be dynamic.
81 - Stop ever mentioning socks ports
83 B.1. ... and that will require no changes
85 - Mention multiple addr/port combos
86 - Advertised outbound IP?
87 - Migrate streams across circuits.
89 B.2. ... and that we have no idea how to do.
93 - Use a better AES mode that has built-in integrity checking,
94 doesn't grow with the number of hops, is not patented, and
95 is implemented and maintained by smart people.
97 Let onion keys be not just RSA but maybe DH too, for Paul's reply onion