On Fri, 02 Jan 2015 06:26:34 +0000 Thomas White <[email protected]> wrote:
> The whole CA system is a broken model in many ways yes, but that > doesn't mean we should totally disregard it. We can work with the CA's > to build up a standing as long as we don't forget that CA's are no > requirement to legitimacy. If a standard is set by the CA community > this paves the way to other pushes and can be seen as a credential > that this isn't some fad or "criminal" tool, but is a genuine and > useful tool in this day and age. Assuming someone believes that hidden services has a bad 'reputation', I'm not sure that because a CA would be willing to issue certificates for a .onion, that this will provide enough 'credentials' for people to improve their view of hidden services. I don't think we should look towards encouraging the use of a CA signing a .onion. We should be looking towards more decentralized methods, i.e. (which I'm sure people have read, but quoting none the the less) the idea that was within Tor's blog post [1]... "A more thorough approach in that direction is to have a way for a hidden service to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them — basically a decentralized CA for .onion addresses, since they are self-authenticating anyway." This gives the user some confidence (as they'll see the "https"), and in my opinion moves away from a broken CA system. [1]https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs -- Matthew Puckey -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
