<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Bonjour,<br>
<br>
Coming back on this email, as it seems it hasn't been fully
answered.<br>
<br>
Le 13/02/2015 17:28, <a class="moz-txt-link-abbreviated"
href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>
a écrit :<br>
</div>
<blockquote
cite="mid:EF70381B2D29784EA4FC66042BE81EAF4D4B3176@SJDCEXMBX01.us.trendnet.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1296788864;
mso-list-type:hybrid;
mso-list-template-ids:1276921988 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1844395705;
mso-list-type:hybrid;
mso-list-template-ids:1423848834 1218095510 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:•;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoPlainText">[...]</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I have to circle back to “Why are we
doing this?”<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"
style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1
lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">•<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->Tor users want to visit websites
anonymously. [That sounds like something CAs should support
if possible]<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1
lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">•<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->Website owners do *<b>not</b>*
want anonymity – in fact, just the opposite. They want EV
certs with their identity information included that will work
for Tor users.<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1
lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">•<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->For some reason, regular TLD
certs (like .com certs) won’t work after Tor users go through
the Tor blender. [Does anyone know why that is the case?]</p>
</div>
</blockquote>
<br>
A TorBrowser user can connect to <a class="moz-txt-link-freetext"
href="https://www.facebook.com">https://www.facebook.com</a>, it
will have the nice padlock icon, and all the packets will go through
the Tor mesh network.<br>
A "{elinks,chrome,IE,whatever}+tor+socks5-in-between" user can do
the same action with the same guarantees.<br>
<br>
<blockquote
cite="mid:EF70381B2D29784EA4FC66042BE81EAF4D4B3176@SJDCEXMBX01.us.trendnet.org"
type="cite">
<div class="WordSection1">
<p class="MsoPlainText"
style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1
lfo2"><o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1
lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">•<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->But for some reason, Internal
Name .onion certs *<b>do</b>* work for Tor users after they go
through the Tor blender. [Does anyone know why this is so?]<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1
lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">•<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->Tor does not want to apply for
.onion as a TLD, and does not want to be the registrar for
.onion [Why not? That would solve everything by making .onion
a TLD, so all the current CA rules could apply. And remember,
website users are not looking for anonymity in their certs –
they want EV certs with their identity displayed prominently
in the browsers.]<o:p></o:p></p>
<p class="MsoPlainText"
style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1
lfo2">
<!--[if !supportLists]--><span style="mso-list:Ignore">•<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->The Tor process for assigning
.onion domains does not require domains to be unique.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
</blockquote>
<br>
IIUC, asking Tor to connect to some identified server creates a
circuit, involving at least 3 nodes (entry, relay+, exit) to provide
some anonymity.<br>
Asking Tor to connect to a .onion address involves requesting the
nearest catalog of hidden services to get the Tor node hosting this
hidden service, and the circuit will never go through an exit node,
providing confidentiality. This confidentiality is already offered
by TLS.<br>
<br>
<pre class="moz-signature" cols="72">--
Erwann ABALEA
</pre>
<br>
</body>
</html>