[tor-dev] Of CA-signed certs and .onion URIs

Jeremy Rowley jeremy.rowley at digicert.com
Fri Nov 14 18:41:06 UTC 2014

Great summary Tom,

>From my perspective, getting .onion reserved is a pretty high priority.  Once reserved, we can really eliminate it as an internal name and get onion listed as part of the PSL. I'm happy to help with this part of the project if I can.

>Syrup-tan had an idea on irc: Have a DV certificate sign a certificate

>that is valid for the .onion URL, and display the URL of the DV

>certificate.  This doesn't eliminate phishing - I can register

>facebok.com and then get that displayed.  But doing bootstapping off

>DNS and DV certificates is a fairly low bar in terms of the cost to a

>.onion operator. (There are other concerns here, I'm not completely

>comfortable with repurposing the EV indicator in this way. Asa on irc

>had the good point that if we did this, maybe we'd want to change the

>EV green to another color just to be a little bit different. Not that

>I really expect users to notice that though...)

This is similar to what I was thinking by proposing that CAs have both a non-onion and onion name in it. If you do that and both are validated as part of the same certificate order, you could give users an indicator that the non-onion name is related to the onion name in the certificate.

>Allowing an organization to purchase an EV certificate from a CA, and

>display the organization's name in the address bar, is another way -

>albeit a very high bar in terms of cost to an onion operator.

I'm hoping the cost won't be high - I'm interested in this solely as something that supports Tor and companies like Facebook who want to give users greater privacy. Like you, I'm not looking to make EV certs required for onion operators.  Instead, I'd like to see them permitted under the industry standards for companies looking to prominently promote their onion services.  The biggest penalty of requiring EV is that it locks out individuals - which is very bad.  I've proposed EV for individuals several times on the forum.  Probably time to bring it up again.

>But there should be at least one more solution in

>the short to long term (e.g. a petname approach).  Unfortunately, if

>the time between now and the 'long term' solution is too long, it

>locks out everyone who can't get an EV cert - which is a legitimate

>concern. Perhaps after there's a spec Tor likes, some large

>organization concerned about preventing phishing could throw some

>engineering time at the problem.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141114/ff734d6c/attachment.html>

More information about the tor-dev mailing list