I know that a select few public SSL certificates have been issued for .onion domains, but I understand that the status of those certs is tenuous.

Apologies for contradicting you, but there is nothing "tenuous" about Onion certificates.

They are fully fledged, official certificates, and the domain-related issues have all been solved.

The open issue, if any, is that such certificates are "EV"-style, and as such are only really open to companies because background checks.

I outline the issue here: http://dropsafe.crypticide.com/article/11697 - take note especially of the comments, which leads to some commentary on the relevant maillist from key members of CABForum.

Has anyone considered implementing a custom certificate service just for .onions? If the Tor Browser shipped with an additional root certificate, that certificate could be used to sign .onion domains.

My feelings regards such a proposal are "that would work, yes, but that would put Onions into a 'SSL Ghetto' and inhibit adoption of Onion technologies by 'normal' browsers".

Further than that, I believe that the proper approach is to obtain CABForum backing for DV, AV or IV certificates for Onion sites. See http://dropsafe.crypticide.com/article/11697 for explanation of unfamiliar acronyms.

Proof of ownership of .onion domains is relatively easy to ascertain.

Ballot-144 https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names/ describes two methods to do so, but in truth at least one of them is not as good as I would like to see.

Note also the concerns expressed by Ryan Sleevi at https://cabforum.org/pipermail/public/2015-November/006213.html

These are concerns which must be addressed (or constructively negated) to _some_ extent, to pursue Onion DV certs a-la LetsEncrypt.

I haven't looked at the problem in detail, but I believe that a fully-automated process could issue certs for arbitrary .onion domains encrypted with the domain's public key. Only the domain owner would have the private key to decrypt and install the certificate.

Yes, that could happen. That's one of the methods suggested in Ballot-144. The CABForum have somewhat justified concerns with that mechanism, mostly regards revocation, Onion certificate theft, and SHA hash-collisions.

The Certificate/CABForum world has grown up in partnership with capabilities like taking domain-name dispute resolution to some kind of arbiter, but Onionspace lacks such - onions are much more binary, hinging upon possession of the Onion key.

This means that CABForum needs gentle introduction to wholesale change. The establishment of more 'official' SSL/EV keys in Onionspace will make an argument for further growth.

torproject.org would have to be willing to ship the Tor Browser with the necessary root certificate, but the root would not need the blessing of the CA/Browser Forum or any other authority figure.

In summary, I repeat, I feel this would address a short-term, TorBrowserBundle need, but cause harm elsewhere to the greater world's adoption of Onions.

-a