[cabfpub] .onion and .exit
Adam Langley
agl at google.com
Tue Oct 14 11:01:52 MST 2014
On Tue, Oct 14, 2014 at 9:29 AM, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:
> Yeah - we specified IANA. I can see the point in providing certs. I think Tor uses NSS for its roots, and I know there has been use of bogus digital certificates to spy on the network.
The Tor Browser Bundle, which is the official browser for use with
Tor, is based on Firefox and thus based on the NSS roots, yes.
The .onion names have transport security provided by Tor and thus
don't obviously need HTTPS certificates. You should certainly ask the
Tor folks before issuing for them. I'm not sure why .onion sites would
want HTTPS certificates.
If you do issue for them, the onion name itself is a hash of a public
key so a strong proof of possession should be pretty easy at least.
The .exit names are completely different and indicate a preferred exit
node, i.e. foo.com.bar.exit is foo.com via the exit called "bar". I
don't think HTTPS certificates should ever be issued for that and
.exit is deprecated by Tor in any case.
Cheers
AGL
More information about the Public
mailing list