[tor-talk] trusting .onion services
Paul Syverson
paul.syverson at nrl.navy.mil
Sun Jan 17 16:12:56 UTC 2016
On Sat, Jan 16, 2016 at 10:22:50PM +0100, Rejo Zenger wrote:
> Hi!
>
> I'm wondering...
>
> - How can a user reliably determine some .onion address actually
> belongs to intended owner?
>
> - How is the provider of .onion service supposed to deal with a lost or
> compromised private key, especially from the point of view from the
> user of this service? How does the user know a .onion-address has
> it's key revoke?
>
For a description of what one can do now via GPG, and a plan for
integration with Certificate Authorities (for the little guy, not
just, e.g., Facebook), see
https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf
Note: this is specifically focused on onionsites that have registered
domains with which to associate. The GPG approach could be used
without a registered domain associated. (And in a previously published
paper also on saint's github, we noted that this could work for
Wordpress blogs or Facebook pages, not just domains registerd by the
onionsite owner.) Or one could use keybase, etc. I just want people to
know the scope of what is being attempted in this work.
aloha,
Paul
More information about the tor-talk
mailing list