elrippo writes: > Hy, > i don't think letsencrypt will work on a HS because letsencrypt checks [1] if > the domain you type in, is registered. > So for example on a clearnet IP which has a registered domain at mydomain.com > called myserver.tld, letsencrypt makes a DNS check for this clearnet IP and > gets the awnser, that this clearnet IP has a registeres domain called > myserver.tld on mydomain.com. > > How should letsencrypt do this on a HS?
If the CA/Browser Forum agreed that it was proper to do this, we could create a special case for requests that include a .onion name to use a different (non-DNS) resolution mechanism, recognizing "that DNS is not the only name resolution protocol on the Internet", as Christian Grothoff put it. I can't promise that Let's Encrypt would do this, but I think we would be interested in the possibility. In a way, the special-casing is what makes some folks in the CA/Browser Forum nervous right now: if there's no "official" notion of the meaning of some names, how can CAs know which names should use which resolution mechanisms? (For example, maybe some CAs have heard that they should treat .onion specially, but others haven't.) If they're unsure which mechanisms to use, how can they know that the interpretation they give to the names will be the same as end-users' interpretation? -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
