[cabfpub] .onion and .exit

Jeremy Rowley jeremy.rowley at digicert.com
Thu Oct 16 17:36:48 UTC 2014

If permitted by the CAB Forum, it would be an EV cert.

-----Original Message-----
From: Adam Langley [mailto:agl at google.com] 
Sent: Thursday, October 16, 2014 11:35 AM
To: Jeremy Rowley
Cc: Gervase Markham; Phillip Hallam-Baker; CABFPub
Subject: Re: [cabfpub] .onion and .exit

On Thu, Oct 16, 2014 at 10:01 AM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> In this case, [customers] want the certificate to tie the service to 
> the company so that users know exactly who is controlling the service. 
> The cert is primarily to ensure that users are connecting to the 
> correct service and that government actors aren't spoofing or MITM the 
> service. The reason we want to add the .onion addresses to our 
> certificate is that we believe the only way for us to truly secure the 
> connection end-to-end is for us to present our service with a 
> certified  .onion address and to rewrite all of our internal urls to 
> be .onion addresses as well

Is this an EV certificate? If so, then I can see the argument. If not, then this customer appears to misunderstand how .onion addresses work.
A .onion contains a key and Tor ensures the authenticity of the connection internally. (There are reasonably questions about the cryptographic strength of that authentication, but I think Tor are working on that and this customer doesn't appear to be raising that

> Right now anyone could throw up a Tor hidden service that acted as a proxy to our service and claim it to either be official are a better/faster method than using a normal exit node and some people would believe them; once we start running our service we expect some to attempt this anyway.

This is a fair point but, again, only seems to make sense if it's an EV certificate.



More information about the Public mailing list