[cabfpub] Ballot 144 -.onion domains

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri Feb 13 19:42:46 UTC 2015

I'm over my ski tips, but... wouldn't revocation checking (by the user's client) potentially reveal which websites the Tor user is viewing?

-----Original Message-----
From: Tom Ritter [mailto:tom at ritter.vg] 
Sent: Friday, February 13, 2015 11:38 AM
To: Kirk Hall (RD-US)
Cc: Gervase Markham; Jeremy Rowley (jeremy.rowley at digicert.com); Ben Wilson (Ben.Wilson at digicert.com); CABFPub (public at cabforum.org)
Subject: Re: [cabfpub] Ballot 144 -.onion domains

On 13 February 2015 at 13:25, kirk_hall at trendmicro.com <kirk_hall at trendmicro.com> wrote:
> Maybe you're right on that point, Gerv.
> One other question:   Does Tor do revocation checking for .onion certs?  I'm guessing not for privacy reasons...  I know some browsers have given up some revocation checking (a mistake in my opinion), but if we know an application never checks for revocation as a matter of policy, that would concern me.  There would be no way to remove a bad cert (used for fraud or abuse, or misissued to the wrong party) from the Tor system, even if the CA revokes it.

I do not believe that Tor Browser edits Firefox's configuration for revocation.

I expected to see something here:
- but the absence and other bug reports I've seen make me believe it's left as the default.

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Public mailing list