[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Giving Hidden Services some love

Hash: SHA512

The whole CA system is a broken model in many ways yes, but that
doesn't mean we should totally disregard it. We can work with the CA's
to build up a standing as long as we don't forget that CA's are no
requirement to legitimacy. If a standard is set by the CA community
this paves the way to other pushes and can be seen as a credential
that this isn't some fad or "criminal" tool, but is a genuine and
useful tool in this day and age.

Re: setting up a CA. I done some research on this a while ago after
bouncing the idea around on IRC and the problem is the legal side of
things. It will be difficult for Mozilla to accept a CA who would only
sign for .onion certificates (there is no policy in place but it seems
the easiest route rather than applying for a full spectrum CA root
cert include). Even if any of the certificates are granted for that
org to become a CA you have considerations such as insurance (which I
do believe is a requirement). I mean it is certainly possible, but it
would require a huge amount of co-ordinated effort, a contact within
Mozilla, the proper technical and legal infrastructure etc. I am more
than happy to advise on such things with what research I have already
done, but right now I think petitioning the existing CA's who have
policy influence may be a better route.


Peter Tonoli:
> On 2/01/2015 4:03 pm, Virgil Griffith wrote:
>> Being a CA for .onion seems a reasonable thing to be.  Should
>> someone already part of the Tor community like torservers.net
>> become that CA?
> I thought the general consensus was that the CA system is totally 
> broken. Why would we want to build on an already broken system, 
> considering the trust and reliability that's required for Tor?
>> On Thu, Jan 1, 2015 at 6:52 PM, Thomas White
>> <thomaswhite@xxxxxxxxxx> wrote: To individuals - no. However that
>> being said, I am currently working with two CA's on getting them
>> to set out a standard to adopt with the other CAs since they
>> cannot just issue a certificate without following the guidance
>> that the CA Forum sets out. Right now their main problem is that
>> there is no policy on it and so standardising the procedure is 
>> required for any certificates with an expiry beyond November
>> 2015.
>> I'll update this list when we have new information on the matter
>> but I don't expect an update until their next official policy
>> meeting around May I believe.

- -- 
Activist, anarchist and a bit of a dreamer.

PGP Keys: key.thecthulhu.com
Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: @CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to