[cabfpub] .onion and .exit

Jeremy Rowley jeremy.rowley at digicert.com
Thu Oct 16 17:42:06 UTC 2014

I think it makes sense in even a DV concept.  A user seeing that the cert has the .onion address as well as the .com address receives some assurance that both are controlled by the same entity.  If the user can accept google.com as solely controlled by Google, they have some verification under the BRs that the domains in the same certificate are also controlled by that entity.

Granted, EV provides a higher level of assurance, but there is still assurances of control provided by DV and OV.  The goal is to remove anonymity for the service provider while sill giving the user the same anonymity benefits provided by the .onion addresses.

-----Original Message-----
From: Adam Langley [mailto:agl at google.com] 
Sent: Thursday, October 16, 2014 11:35 AM
To: Jeremy Rowley
Cc: Gervase Markham; Phillip Hallam-Baker; CABFPub
Subject: Re: [cabfpub] .onion and .exit

On Thu, Oct 16, 2014 at 10:01 AM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> In this case, [customers] want the certificate to tie the service to 
> the company so that users know exactly who is controlling the service. 
> The cert is primarily to ensure that users are connecting to the 
> correct service and that government actors aren't spoofing or MITM the 
> service. The reason we want to add the .onion addresses to our 
> certificate is that we believe the only way for us to truly secure the 
> connection end-to-end is for us to present our service with a 
> certified  .onion address and to rewrite all of our internal urls to 
> be .onion addresses as well

Is this an EV certificate? If so, then I can see the argument. If not, then this customer appears to misunderstand how .onion addresses work.
A .onion contains a key and Tor ensures the authenticity of the connection internally. (There are reasonably questions about the cryptographic strength of that authentication, but I think Tor are working on that and this customer doesn't appear to be raising that

> Right now anyone could throw up a Tor hidden service that acted as a proxy to our service and claim it to either be official are a better/faster method than using a normal exit node and some people would believe them; once we start running our service we expect some to attempt this anyway.

This is a fair point but, again, only seems to make sense if it's an EV certificate.



More information about the Public mailing list