++ 16/01/16 15:20 -0700 - Mirimir:
>
>> Or, to rephrase it: how can a user reliably determine the .onion address
>> for a given entity without relying on the flawed CA system and without
>> the entity having a lot of visibility?
>
>I GnuPG sign pages on http://dbshmc5frbchaum2.onion and have the public
>key online in four other independent places. I recommend that users
>first verify that all five places provide the same public key. Then they
>can verify that the signatures are valid.
Yes. That sounds like a nice setup - however, with all respect, not one
that will be adopted in a safe way by the majority of the people. It is
not "broadly accessible". I like it a lot that sites like Facebook are
accessible as a .onion-service as it will make these kind of security
accessible to a broad group of people, including those with a less
strong technical background. They (no, we all!) should have more
accessible means to verifying the ownership of a .onion-address.
--
Rejo Zenger
E rejo@xxxxxxxxx | P +31(0)639642738 | W https://rejo.zenger.nl
T @rejozenger | J rejo@xxxxxxxxx
OpenPGP 1FBF 7B37 6537 68B1 2532 A4CB 0994 0946 21DB EFD4
XMPP OTR 271A 9186 AFBC 8124 18CF 4BE2 E000 E708 F811 5ACF
Signal 05 EB 38 5C 01 0B 55 6A 19 69 E1 EF C2 99 89 EC 9C
E4 88 3C 6F E3 7D 58 61 9B 32 E8 DB 9F ED 1B 2A
Attachment:
signature.asc
Description: PGP signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk