[tor-dev] Of CA-signed certs and .onion URIs

Matthew Finkel matthew.finkel at gmail.com
Tue Nov 18 21:43:47 UTC 2014

On Tue, Nov 18, 2014 at 05:55:29PM +0000, George Kadianakis wrote:
> Tom Ritter <tom at ritter.vg> writes:
> > There's been a spirited debate on irc, so I thought I would try and
> > capture my thoughts in long form. I think it's important to look at
> > the long-term goals rather than how to get there, so that's where I'm
> > going to start, and then at each item maybe talk a little bit about
> > how to get there.  So I think the Tor Project and Tor Browser should:
> >
> > a) Eliminate self-signed certificate errors when browsing https:// on
> > an onion site
> > b) Consider how Mixed Content should interact with .onion browsing
> > c) Get .onion IANA reserved
> > d) Address the problems that Facebook is/was concerned about when
> > deploying a .onion
> > e) Consider how EV treatment could be used to improve poor .onion readability
> >
> Thanks for all the thoughts Tom!

Ditto. I agree this was a very nice summary.

> This is hard topic and I don't really have strong opinions on this.
> Some notes:
> - Allowing self-signed certs sounds like a potentially good idea to
>   me.  However, I can hear grarpamp's concerns and it's not obviously
>   clear to me that it's something we should do.
>   In general, the whole user education part of this is quite hard to
>   evaluate, and I don't think I understand the problem well enough to
>   take a stance.
> - In general, having CAs sign onion certificates seems like a good
>   thing for now. There are threat models that would really benefit
>   from this, so we should make it a possibility and work with CAs to
>   get the best out of it.

I also agree with this. In the past I was hesitant to suggest supporting
TLS with hidden services, but the more I thought about this topic and
the more others voiced their opinion, I think supporting usable e2e
application-controlled transport-layer crypto is important.

> - I'm not very afraid of CA certificates getting out of control, that
>   is the community evolving to a point that if an HS doesn't have a CA
>   certificate it's not considered secure.
>   This doesn't seem like something that will happen any time soon, and
>   if it ever happens and we really want to stop it, well it's good we
>   have a Firefox fork ;)

This seems like a risky plan, but there is great reward if this

Dear furture-self and Tor community,
I'm sorry if this failed, but it was worth trying.

> Personally, I would let this issue develop organically:
> In the short-term future, we should help CAs make their certs useful
> for the onionspace, and we should also make some trac tickets and
> plans for any Tor modifications we want to do (for example, trusting
> self-signed certs signed by the HS identity key seem like a generally
> good idea).

Definitely, we should start opening trac tickets.

It seems the main blocker/objection to accepting the current proposal
(aside from some other minor details which can be worked out) is
IANA reserving the TLD. If anyone can help support the acceptance of
the proposed RFC, that would significantly help[0]. It was also
proposed that the CAB Forum should progress this under the assumption
that .onion will become a reserved TLD[1], but getting this in-place
is quite important.

[0] https://cabforum.org/pipermail/public/2014-November/004576.html
[1] https://cabforum.org/pipermail/public/2014-November/004616.html

> I encourage anyone with good ideas and opinions to get involved with
> the CA community and help them make this useful. As I understand it,
> part of the discussion is happening here:
> https://cabforum.org/pipermail/public/2014-November/004569.html


More information about the tor-dev mailing list