[cabfpub] Tor Comment on onion

[Jeremy.Rowley]

This is from Mathew Finkel who is responding to the request for more information.  Although he hasn't signed an IPR, I'm forwarding his comments as the onion discussion topic is directly related to Tor.

  
Hi All,

The Tor Project is extremely supportive of helping users to further
secure their Tor Hidden Services. Tor Hidden Services provide
end-to-end encryption, authenticity and anonymity for free. Adding
properly signed and verified certificates, as well as adding TLS into
the mix, would be wonderful for our users. We would like them to be
able to deploy Hidden Services with TLS and to ensure that the normal
CA/browser security experience is unchanged (or improved).

We are aware of the on-going discussion and we are currently working
towards a consensus of this topic. We want to make sure this discussion
is handled with care and the result is truly the best result for our
users.

For an initial opinion of such a deployment, please see our blog post[0]
regarding Facebook's hidden services and their use of a CA certificate
as an authentication mechanism.

With regard to proving ownership of a Tor Hidden Service key, it is
extremely straight forward and we believe that it is stronger than
Domain Validated certificates, for example.

We can not stress enough how appreciative we are that this topic is
currently being discussed and for your support. However, this is
something we must treat delicately, so please bear with us while we
weigh the options and the arguments which were made in last month's
thread as well as the current one. Please do continue discussing this,
in the mean time.

Thank you,
Matthew Finkel

[0]https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs  (part four)