[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Motivations for certificate issues for onion services

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Motivations for certificate issues for onion services
From: Seth David Schoen <schoen@xxxxxxx>
Date: Wed, 9 Aug 2017 15:53:59 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 09 Aug 2017 18:54:17 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=mr+KYEZj2jDm9pej5nYGgdRM85qzmhtm9rgibHvFbT8=; b=B7tDY9sOEqR6ioYl1s3yn01q73p1T5Is7m1qODHq3rmDdoxLBifE8gh0ah+NqIzoZEUwdiDoVx8CLTuml8ZGNT4V/YkeIXITUFSGmJvrLgE8MhNNW87W4v7IA4T/hB+CAHvWVGj+/fjbjjv7WSNlRdNKC8undvwvSySrFbyrhaY=;
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi folks,

For a long time, publicly-trusted certificate authorities were not
clearly permitted to issue certificates for .onion names.  However, RFC
7686 and a series of three CA/Browser Forum ballots sponsored by Digicert
have allowed issuance of EV certificates (where the legal identity of
the certificate requester is verified offline before the certificate is
issued).  This has allowed Digicert to issue a number of such certificates
to interested (extremely non-anonymous!) onion service operators.

https://crt.sh/?Identity=%25.onion

So far Digicert is the only browser-trusted CA to have taken advantage of
this policy.  Notably, it doesn't apply to certificate authorities that
only issue DV certificates, because nobody at the time found a consensus
about how to validate control over these domain names.  There was also
a long-standard concern about cryptographic strength mismatch in the
sense that the cryptography used by onion services was weaker than the
cryptography that's now used in TLS.  (I think this concern was misplaced,
but I believe it's served as one of the main rationales for distinguishing
EV from DV.)

So, there has been a suggestion that this issue might be revisted with
the next generation onion services because they have stronger
cryptographic primitives.  Apparently these have now been not only
implemented but actually demonstrated:

https://blog.torproject.org/blog/new-and-improved-onion-services-will-premiere-def-con-25

I'd like to prepare to raise this issue with the CA/Browser forum in
anticipation of a ballot there to have it be possible for DV certificates
to be issued to onion services.  So I wanted to ask two things here:

(1) What's the status of onion services looking like now?  I haven't
seen Roger's DEF CON talk.  (Was it recorded?)

(2) What reasons do people have for wanting certificates that cover
onion names?  I think I know of at least three or four reasons, but I'm
interested in creating a list that's as thorough as possible.

-- 
Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Motivations for certificate issues for onion services
  - From: Alec Muffett
- Re: [tor-talk] Motivations for certificate issues for onion services
  - From: Dave Warren
- Re: [tor-talk] Motivations for certificate issues for onion services
  - From: Roger Dingledine

Prev by Author: Re: [tor-talk] Neal Krawetz's abcission proposal, and Tor's reputation
Next by Author: [tor-talk] Using Raspberry Pi as Tor relay is bad idea??
Previous by thread: [tor-talk] Help us build Tails reproducibly
Next by thread: Re: [tor-talk] Motivations for certificate issues for onion services
Index(es):
- Author
- Thread