On Feb 22, 2016, at 06:18, Alec Muffett alecm@fb.com wrote:
Apologies for contradicting you, but there is nothing "tenuous" about Onion certificates.
I don't mind being contradicted. I was responding to articles like this one, which said "these .onion certificates are considered internal name certificates. The CA/Browser Forum has deprecated the use of public SSL Certificates for internal names and they will no longer be allowed after November 1, 2015. "
https://blog.digicert.com/the-current-state-of-onion-certificates-and-what-h...
I realize that situation has changed in the past year, with the IETF's official recognition of the .onion space.
Thanks for the references. They'll help me get up to speed on the current state of things.
Though I agree about the risk of ghettoization of the .onion space, I also see an opportunity here to avoid some of the pitfalls of the current SSL certificate trust model, specifically with regards to rogue authorities and stolen/forged signing keys.
Again, thanks...
--Ron