[tor-talk] x.509 for hidden services

grarpamp grarpamp at gmail.com
Sat Oct 26 07:57:20 UTC 2013

> cn=pubkeybase32.onion

There are lots of HS certs out there. Some are just the usual
random certs. Some use this exact cn specification. I never
looked to see if any of them actually packed in the full HS
pubkey somewhere.

> I believe torchat does this

IIRC, torchat is just doing a bidirectional secret passing
pingpong between clients behind the HS addresses, no
actual x509 stuff. There's a good paper on it.

> compatible with future editions of hidden services which aren't based

I think this pending may be holding a number of people back from deploying
some onion things today when it might get ripped out from under
them later. Whether for the RSA part. Or for good utility in maintaining
just the 80-bit addressing part as a map between EC addressing.
Where depending on how much of the current scheme is retained,
collision, spoofing, enumeration or even some continued risk of
deanonymization is not as important to their relatively non-sensitive
application, where making IPv6 transport work might be.
Not said as cause not to move forward, but to consider continuing
capabilities where possible.

> Are there other applications which would benefit from having x.509
> certs for onion names?

Certs, yes, even for simple surfing... but no matter what is done there,
people still phish themselves all the time. There's just no hope for those
classic types.

More information about the tor-talk mailing list