[cabfpub] .onion and .exit

Phillip Hallam-Baker philliph at comodo.com
Thu Oct 16 18:01:16 UTC 2014

Wouldn't this purpose be better served by issuing a certificate in the
normal fashion that contains information that a TOR client can use in
intelligent fashion to make sense of an address?

The fact that someone types in example.com.onion into a browser bar
does not mean that it need be interpreted in IANA space. After all, if
I type in 'Google' I will get the result of a search on the word
'google', not http://google.com/

If we are interpreting example.com.onion as 'use tor to get to
example.com' in a Tor capable browser then said browser can make sense
of any information it eventually gets from the end site in a sensible
fashion. If the result is a tunnel to example.com then it can return
an EV certificate for example.com and everything work as expected.

Now said certificate could include Tor specific crypto gumpf if it was
useful but I can't see why you would ever need more than a key.

In other words, let the applications that are commandeering the .onion space
make the adjustments rather than us. This needs a special set of browser path math
rules, not a change in the cert validation requirements.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141016/af90c48c/attachment-0003.html>

More information about the Public mailing list