[tor-talk] Letsencrypt and Tor Hidden Services

Seth David Schoen schoen at eff.org
Wed Aug 19 17:38:48 UTC 2015


elrippo writes:

> Hy,
> i don't think letsencrypt will work on a HS because letsencrypt checks [1] if the domain you type in, is registered.
> So for example on a clearnet IP which has a registered domain at mydomain.com called myserver.tld, letsencrypt makes a DNS check for this clearnet IP and gets the awnser, that this clearnet IP has a registeres domain called myserver.tld on mydomain.com.
> 
> How should letsencrypt do this on a HS?

If the CA/Browser Forum agreed that it was proper to do this, we could
create a special case for requests that include a .onion name to use
a different (non-DNS) resolution mechanism, recognizing "that DNS is
not the only name resolution protocol on the Internet", as Christian
Grothoff put it.

I can't promise that Let's Encrypt would do this, but I think we would
be interested in the possibility.

In a way, the special-casing is what makes some folks in the CA/Browser
Forum nervous right now: if there's no "official" notion of the meaning
of some names, how can CAs know which names should use which resolution
mechanisms?  (For example, maybe some CAs have heard that they should
treat .onion specially, but others haven't.)  If they're unsure which
mechanisms to use, how can they know that the interpretation they give
to the names will be the same as end-users' interpretation?

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107


More information about the tor-talk mailing list