[cabfpub] DV issuance for next-generation onion services

Seth David Schoen schoen at eff.org
Fri Nov 3 17:08:59 UTC 2017

Peter Bowen writes:

> I’m honestly not a big fan of being limited to these three methods — they all are methods which have be completed by someone with access to the “backend” server but not necessarily the onion proxy.  What options might exist for validation that are closer to the DNS validation method for Internet names?  How could a CA confirm that they onion name “owner” has approved the request?

You're right that none of these methods could be completed by someone
with access to the onion proxy alone.  I think the closest analogy would
indeed call for a new onion-specific method, which would probably
involve signing a challenge with the onion key or with a key signed by
the onion key.

Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

More information about the Public mailing list