This is a specification for a well-known registry submission according to RFC8615
current state: submitted
This resource identifier is used for the the verification of Tor relay contact information (more specifically the operatorurl). It can also be used for autodiscovery of Tor relays run by a given entity, if the entity domain is known. It solves the issue that Tor relay contact information is an unidirectional and unverified claim by nature. This well-known URI aims to allow the verification of the unidirectional claim. It aims to reduce the risk of impersonation attacks, where a Tor relay claims to be operated by a certain entity, but actually isn’t. The automated verification will also support the visualization of relay groups.
The “tor-relay” URI allows for the verification of that claim by fetching the files containing Tor relay ID(s) under the specified URI, because attackers can not easily place these files at the given location.
By publishing Tor relay IDs under this URI the website operator claims to operate these relays. The verification of listed Tor relay IDs only succeeds if the claim can be verified bidirectionally (website -> relay and relay -> website).
This URI is not related to Tor bridges or Tor onion services.
The URL MUST be HTTPS and use a valid TLS certificate from a generally trusted root CA. Plain HTTP MUST not be used.
Example file content:
# we operate these Tor relays
A234567890123456789012345678901234567ABC
B234567890123456789012345678901234567890
The RSA SHA1 relay fingerprint can be found in the file named “fingerprint” located in the Tor data directory on the relay.
tor-relay-well-known-uri AT riseup.net