[cabfpub] Ballot 144 -.onion domains

Erwann Abalea erwann.abalea at opentrust.com
Tue Feb 17 09:38:05 MST 2015


Bonjour,

Coming back on this email, as it seems it hasn't been fully answered.

Le 13/02/2015 17:28, kirk_hall at trendmicro.com a écrit :
>
> [...]
>
> I have to circle back to “Why are we doing this?”
>
> •Tor users want to visit websites anonymously.  [That sounds like 
> something CAs should support if possible]
>
> •Website owners do **not** want anonymity – in fact, just the 
> opposite.  They want EV certs with their identity information included 
> that will work for Tor users.
>
> •For some reason, regular TLD certs (like .com certs) won’t work after 
> Tor users go through the Tor blender.  [Does anyone know why that is 
> the case?]
>

A TorBrowser user can connect to https://www.facebook.com, it will have 
the nice padlock icon, and all the packets will go through the Tor mesh 
network.
A "{elinks,chrome,IE,whatever}+tor+socks5-in-between" user can do the 
same action with the same guarantees.

> •But for some reason, Internal Name .onion certs **do** work for Tor 
> users after they go through the Tor blender.  [Does anyone know why 
> this is so?]
>
> •Tor does not want to apply for .onion as a TLD, and does not want to 
> be the registrar for .onion [Why not?  That would solve everything by 
> making .onion a TLD, so all the current CA rules could apply.  And 
> remember, website users are not looking for anonymity in their certs – 
> they want EV certs with their identity displayed prominently in the 
> browsers.]
>
> •The Tor process for assigning .onion domains does not require domains 
> to be unique.
>

IIUC, asking Tor to connect to some identified server creates a circuit, 
involving at least 3 nodes (entry, relay+, exit) to provide some anonymity.
Asking Tor to connect to a .onion address involves requesting the 
nearest catalog of hidden services to get the Tor node hosting this 
hidden service, and the circuit will never go through an exit node, 
providing confidentiality. This confidentiality is already offered by TLS.

-- 
Erwann ABALEA


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150217/8c8060c0/attachment-0001.html 


More information about the Public mailing list