Hi folks, For a long time, publicly-trusted certificate authorities were not clearly permitted to issue certificates for .onion names. However, RFC 7686 and a series of three CA/Browser Forum ballots sponsored by Digicert have allowed issuance of EV certificates (where the legal identity of the certificate requester is verified offline before the certificate is issued). This has allowed Digicert to issue a number of such certificates to interested (extremely non-anonymous!) onion service operators.
https://crt.sh/?Identity=%25.onion So far Digicert is the only browser-trusted CA to have taken advantage of this policy. Notably, it doesn't apply to certificate authorities that only issue DV certificates, because nobody at the time found a consensus about how to validate control over these domain names. There was also a long-standard concern about cryptographic strength mismatch in the sense that the cryptography used by onion services was weaker than the cryptography that's now used in TLS. (I think this concern was misplaced, but I believe it's served as one of the main rationales for distinguishing EV from DV.) So, there has been a suggestion that this issue might be revisted with the next generation onion services because they have stronger cryptographic primitives. Apparently these have now been not only implemented but actually demonstrated: https://blog.torproject.org/blog/new-and-improved-onion-services-will-premiere-def-con-25 I'd like to prepare to raise this issue with the CA/Browser forum in anticipation of a ballot there to have it be possible for DV certificates to be issued to onion services. So I wanted to ask two things here: (1) What's the status of onion services looking like now? I haven't seen Roger's DEF CON talk. (Was it recorded?) (2) What reasons do people have for wanting certificates that cover onion names? I think I know of at least three or four reasons, but I'm interested in creating a list that's as thorough as possible. -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
