[cabfpub] .onion and .exit
Gervase Markham
gerv at mozilla.org
Thu Oct 16 10:34:28 UTC 2014
On 14/10/14 19:01, Adam Langley wrote:
> The .onion names have transport security provided by Tor and thus
> don't obviously need HTTPS certificates. You should certainly ask the
> Tor folks before issuing for them. I'm not sure why .onion sites would
> want HTTPS certificates.
>
> If you do issue for them, the onion name itself is a hash of a public
> key so a strong proof of possession should be pretty easy at least.
>
> The .exit names are completely different and indicate a preferred exit
> node, i.e. foo.com.bar.exit is foo.com via the exit called "bar". I
> don't think HTTPS certificates should ever be issued for that and
> .exit is deprecated by Tor in any case.
In addition to Adam's points: I suspect there are significant political
issues in agreeing to formalize issuance of certs for non-IANA TLDs. It
would be the equivalent of agreeing to issue SSL certs for alt roots:
http://www.wikiwand.com/en/Alternative_DNS_root
which of course leads to obvious problems when/if they overlap with IANA
TLDs.
Gerv
More information about the Public
mailing list