[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] trusting .onion services

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] trusting .onion services
From: Paul Syverson <paul.syverson@xxxxxxxxxxxx>
Date: Sun, 17 Jan 2016 11:12:56 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 17 Jan 2016 11:13:33 -0500
In-reply-to: <20160116212250.GA14827@xxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20160116212250.GA14827@xxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.23 (2014-03-12)

On Sat, Jan 16, 2016 at 10:22:50PM +0100, Rejo Zenger wrote:
> Hi!
> 
> I'm wondering... 
> 
>  - How can a user reliably determine some .onion address actually
>    belongs to intended owner?
> 
>  - How is the provider of .onion service supposed to deal with a lost or
>    compromised private key, especially from the point of view from the
>    user of this service? How does the user know a .onion-address has
>    it's key revoke?
> 

For a description of what one can do now via GPG, and a plan for
integration with Certificate Authorities (for the little guy, not
just, e.g., Facebook), see

https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf

Note: this is specifically focused on onionsites that have registered
domains with which to associate. The GPG approach could be used
without a registered domain associated. (And in a previously published
paper also on saint's github, we noted that this could work for
Wordpress blogs or Facebook pages, not just domains registerd by the
onionsite owner.) Or one could use keybase, etc. I just want people to
know the scope of what is being attempted in this work.

aloha,
Paul
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] trusting .onion services
  - From: Rejo Zenger

Prev by Author: Re: [tor-talk] Escape NSA just to enter commercial surveillance?
Next by Author: Re: [tor-talk] Using VPN less safe?
Previous by thread: Re: [tor-talk] trusting .onion services
Next by thread: Re: [tor-talk] trusting .onion services
Index(es):
- Author
- Thread