[tor-dev] New Proposal - CAA Extensions for the Tor Rendezvous Specification

Thu Apr 27 13:11:16 UTC 2023

Hi Raph,

Whilst I agree that in an ideal world CAs would be irrelevant, we do not
live in an ideal world. My proposal is one of many ways that a certificate
could be issued to hidden services.

Issuing standard TLS certificates to .onion domains allows HTTPS without
modification to the browser. This allows non Tor Browsers user agents to
access the Tor network via a proxy (SOCKS etc), doing otherwise would
require all browsers to understand Tor. It also opens up new opportunities
such as payment processing as current PCI DSS requirements do not allow
non-standard TLS.

Current hidden services with HTTPS such as the BBC already use standard TLS
certificates, however the process for these is extremely involved with
current CAs. My IETF draft aims to make this a much simpler process via the
already well-proven ACME.

Thanks,
Q
------------------------------

Any statements contained in this email are personal to the author and are
not necessarily the statements of the company unless specifically stated.
AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
registered in Wales under № 12417574
<https://find-and-update.company-information.service.gov.uk/company/12417574>.
ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>.
UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524.
South Korean VAT №: 522-80-03080. Glauca Digital and the Glauca logo are
registered trademarks in the UK, under № UK00003718474 and № UK00003718468,
respectively.

On Thu, 27 Apr 2023 at 13:59, Raphaël Fabre <contact at fabco.tech> wrote:

> Hey
>
> I've read your proposal, although I'm not sure to grap the totality of it.
> I'm Raph the lead dev of this project -> https://e.as207960.net/w4bdyj/YG6dkkyr
>
> I have a question, since .onion is basically a non ICANN domain name
> system, why do you care about using Certificate Authorities ? Could you
> instead store the TLS certificates in the name system, as TXT / CERT
> records (similar to DANE) ?
>
> Doing this would allow TOR service providers to not rely on certificate
> authorities, control their TLS certificates directly (self signed) and *do
> not need at all to renew it*.
>
> happy to chat further
> Raph
>
> ------- Original Message -------
> Le jeudi 27 avril 2023 à 14:45, Q Misell via tor-dev <
> tor-dev at lists.torproject.org> a écrit :
>
> Hi all,
>
> I've spent some time working on ACME for Tor hidden services (you may have
> seen discussion of this work on the onion-advisors mailing list). Full
> details of the project are available at https://e.as207960.net/w4bdyj/xqviywZW
> <https://e.as207960.net/w4bdyj/yBzJUPTT>.
>
> Attached is my proposal for a change to the Tor Rendezvous Specification
> to support the inclusion of CAA records in hidden service descriptors.
>
> My fork of Tor implementing publishing these records is available at
> https://e.as207960.net/w4bdyj/ItcJLhNd <https://e.as207960.net/w4bdyj/LmAkW3uG>.
>
> Thanks,
> Q
> ------------------------------
>
> Any statements contained in this email are personal to the author and are
> not necessarily the statements of the company unless specifically stated.
> AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
> Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
> registered in Wales under № 12417574
> <https://e.as207960.net/w4bdyj/pIFzAYXo>. ICO register №: ZA782876
> <https://e.as207960.net/w4bdyj/pZ2mD5UQ>. UK VAT №: GB378323867. EU VAT
> №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №:
> 522-80-03080. Glauca Digital and the Glauca logo are registered trademarks
> in the UK, under № UK00003718474 and № UK00003718468, respectively.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20230427/9f725813/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4640 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20230427/9f725813/attachment.bin>