[cabfpub] .onion and .exit

Gervase Markham gerv at mozilla.org
Thu Oct 16 10:34:28 UTC 2014

On 14/10/14 19:01, Adam Langley wrote:
> The .onion names have transport security provided by Tor and thus
> don't obviously need HTTPS certificates. You should certainly ask the
> Tor folks before issuing for them. I'm not sure why .onion sites would
> want HTTPS certificates.
> If you do issue for them, the onion name itself is a hash of a public
> key so a strong proof of possession should be pretty easy at least.
> The .exit names are completely different and indicate a preferred exit
> node, i.e. foo.com.bar.exit is foo.com via the exit called "bar". I
> don't think HTTPS certificates should ever be issued for that and
> .exit is deprecated by Tor in any case.

In addition to Adam's points: I suspect there are significant political
issues in agreeing to formalize issuance of certs for non-IANA TLDs. It
would be the equivalent of agreeing to issue SSL certs for alt roots:
which of course leads to obvious problems when/if they overlap with IANA


More information about the Public mailing list