[tor-talk] Giving Hidden Services some love
Matthew Puckey
matt at puckey.org
Sat Jan 3 00:27:00 UTC 2015
On Fri, 02 Jan 2015 06:26:34 +0000
Thomas White <thomaswhite at riseup.net> wrote:
> The whole CA system is a broken model in many ways yes, but that
> doesn't mean we should totally disregard it. We can work with the CA's
> to build up a standing as long as we don't forget that CA's are no
> requirement to legitimacy. If a standard is set by the CA community
> this paves the way to other pushes and can be seen as a credential
> that this isn't some fad or "criminal" tool, but is a genuine and
> useful tool in this day and age.
Assuming someone believes that hidden services has a bad 'reputation',
I'm not sure that because a CA would be willing to issue certificates
for a .onion, that this will provide enough 'credentials' for people to
improve their view of hidden services.
I don't think we should look towards encouraging the use of a CA
signing a .onion. We should be looking towards more decentralized
methods, i.e. (which I'm sure people have read, but quoting none the
the less) the idea that was within Tor's blog post [1]...
"A more thorough approach in that direction is to have a way for a
hidden service to generate its own signed https cert using its onion
private key, and teach Tor Browser how to verify them — basically a
decentralized CA for .onion addresses, since they are
self-authenticating anyway."
This gives the user some confidence (as they'll see the "https"), and
in my opinion moves away from a broken CA system.
[1]https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs
--
Matthew Puckey
More information about the tor-talk
mailing list