Re: [tor-talk] Giving Hidden Services some love

[Matthew Puckey <matt@xxxxxxxxxx>]

On Fri, 02 Jan 2015 06:26:34 +0000
Thomas White <thomaswhite@xxxxxxxxxx> wrote:

> The whole CA system is a broken model in many ways yes, but that
> doesn't mean we should totally disregard it. We can work with the CA's
> to build up a standing as long as we don't forget that CA's are no
> requirement to legitimacy. If a standard is set by the CA community
> this paves the way to other pushes and can be seen as a credential
> that this isn't some fad or "criminal" tool, but is a genuine and
> useful tool in this day and age.

Assuming someone believes that hidden services has a bad 'reputation',
I'm not sure that because a CA would be willing to issue certificates
for a .onion, that this will provide enough 'credentials' for people to
improve their view of hidden services.

I don't think we should look towards encouraging the use of a CA
signing a .onion. We should be looking towards more decentralized
methods, i.e. (which I'm sure people have read, but quoting none the
the less) the idea that was within Tor's blog post [1]...

"A more thorough approach in that direction is to have a way for a
hidden service to generate its own signed https cert using its onion
private key, and teach Tor Browser how to verify them â basically a
decentralized CA for .onion addresses, since they are
self-authenticating anyway."

This gives the user some confidence (as they'll see the "https"), and
in my opinion moves away from a broken CA system.

[1]https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs

-- 
Matthew Puckey
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk