[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] HTTPS to hidden service unecessary?



On 7/9/12 10:49 PM, Juenca R wrote:
>> - You want SSL client authentication
>>
>> - You want to use particular key exchange like TLS SRP
>> https://github.com/trevp/tlslite
> 
> these two things are really esoteric arent they?  i mean, good technology, but not used very often?
Client side authentication is widely used within e-governmental services
with smartcard. Maybe one day some government will try using Tor HS? :-)

TLS SRP is just relatively new, not "esoteric", and imho it will get a
wider uses, as it's TLS with shared-secret authentication rather than
CA-based authentication.
Especially by thinking about possibly future integration with upcoming
Javascript TLS implementation https://github.com/digitalbazaar/forge .

However if you don't need, just don't care.

>> - You want the client to be able to trust a specific certificate and/or
>> CA that you already trusted over the internet/intranet
> 
> good point, although the domain will mis-match so you might still have a problem of user needs to confirm security exception

You can have multiple hostname within the same certificate.

At the same time you may have your own private CA (like most big
enterprises does), trust that and use that for "internet" hostname and
"darknet" hostnames.


-naif
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk