changes file and manpage entry for AuthDirPinKeys

diff --git a/changes/bug17135 b/changes/bug17135
new file mode 100644 (file)
index 0000000..0a0c57e
--- /dev/null
+++ b/changes/bug17135
@@ -0,0 +1,7 @@
+  o Major features (Ed25519 keys, keypinning)
+    - The key-pinning option on directory authorities is now
+      advisory-only by default. In a future version, or when the
+      AuthDirPinKeys option is set, pins are enforced again.
+      Disabling key-pinning seemed like a good idea so that we can
+      survive the fallout of any usability problems associated with
+      ed25519 keys. Closes ticket 17135.

diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 14b13bc09e1c85804ed7f77d17eb84624c56d874..954c8fa243ea15f7a2c820a78dd585f820b75986 100644 (file)
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -2081,6 +2081,13 @@ on the public Tor network.
     or more is always sufficient to satisfy the bandwidth requirement
     for the Guard flag. (Default: 250 KBytes)
 
+[[AuthDirPinKeys]] **AuthDirPinKeys** **0**|**1**::
+    Authoritative directories only. If non-zero, do not allow any relay to
+    publish a descriptor if any other relay has reserved its <Ed25519,RSA>
+    identity keypair. In all cases, Tor records every keypair it accepts
+    in a journal if it is new, or if it differs from the most recently
+    accepted pinning for one of the keys it contains. (Default: 0)
+
 [[BridgePassword]] **BridgePassword** __Password__::
     If set, contains an HTTP authenticator that tells a bridge authority to
     serve all requested bridge information. Used by the (only partially