[cabfpub] .onion and .exit
Jeremy Rowley
jeremy.rowley at digicert.com
Thu Oct 16 17:36:48 UTC 2014
If permitted by the CAB Forum, it would be an EV cert.
-----Original Message-----
From: Adam Langley [mailto:agl at google.com]
Sent: Thursday, October 16, 2014 11:35 AM
To: Jeremy Rowley
Cc: Gervase Markham; Phillip Hallam-Baker; CABFPub
Subject: Re: [cabfpub] .onion and .exit
On Thu, Oct 16, 2014 at 10:01 AM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> In this case, [customers] want the certificate to tie the service to
> the company so that users know exactly who is controlling the service.
> The cert is primarily to ensure that users are connecting to the
> correct service and that government actors aren't spoofing or MITM the
> service. The reason we want to add the .onion addresses to our
> certificate is that we believe the only way for us to truly secure the
> connection end-to-end is for us to present our service with a
> certified .onion address and to rewrite all of our internal urls to
> be .onion addresses as well
Is this an EV certificate? If so, then I can see the argument. If not, then this customer appears to misunderstand how .onion addresses work.
A .onion contains a key and Tor ensures the authenticity of the connection internally. (There are reasonably questions about the cryptographic strength of that authentication, but I think Tor are working on that and this customer doesn't appear to be raising that
point.)
> Right now anyone could throw up a Tor hidden service that acted as a proxy to our service and claim it to either be official are a better/faster method than using a normal exit node and some people would believe them; once we start running our service we expect some to attempt this anyway.
This is a fair point but, again, only seems to make sense if it's an EV certificate.
Cheers
AGL
More information about the Public
mailing list