[cabfpub] .onion and .exit

Adam Langley agl at google.com
Tue Oct 14 18:01:52 UTC 2014

On Tue, Oct 14, 2014 at 9:29 AM, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:
> Yeah - we specified IANA. I can see the point in providing certs.  I think Tor uses NSS for its roots, and I know there has been use of bogus digital certificates to spy on the network.

The Tor Browser Bundle, which is the official browser for use with
Tor, is based on Firefox and thus based on the NSS roots, yes.

The .onion names have transport security provided by Tor and thus
don't obviously need HTTPS certificates. You should certainly ask the
Tor folks before issuing for them. I'm not sure why .onion sites would
want HTTPS certificates.

If you do issue for them, the onion name itself is a hash of a public
key so a strong proof of possession should be pretty easy at least.

The .exit names are completely different and indicate a preferred exit
node, i.e. foo.com.bar.exit is foo.com via the exit called "bar". I
don't think HTTPS certificates should ever be issued for that and
.exit is deprecated by Tor in any case.



More information about the Public mailing list