Draft RFC – ACME Extensions for ".onion" domains

 (datatracker.ietf.org)

2 points | by keepamovin 9 hours ago

2 comments

  • keepamovin 9 hours ago
    This was interesting:

      An "onion-csr-01" MUST NOT be used to issue certificates for non
   ".onion" Special-Use Domain Names.

   Clients prove control over the key associated with the ".onion"
   service by generating a CSR [RFC2986] with the following additional
   extension attributes and signing it with the private key of the
   ".onion" Special-Use Domain Name:

   *  A caSigningNonce attribute containing the nonce provided in the
      challenge.  This MUST be raw bytes, and not the base64 encoded
      value provided in the challenge object.

   *  An applicantSigningNonce containing a nonce generated by the
      client.  This MUST have at least 64 bits of entropy.  This MUST be
      raw bytes.
  • josephcsible 8 hours ago
    Why do .onion domain names need certificates, if Tor already enforces that only the party with the corresponding private key can see traffic to them?
    [-]
    • keepamovin 4 hours ago
      The last hop off the relay is unencrypted breaking the security model.

      Also, some browser features only work on HTTPS sites.

    • mcpherrinm 8 hours ago
      I think the main reason is it allows for easier access to Tor hidden sides with a “regular” web browser. Consider a wifi network that exposed .onion domains via normal DNS, or a VPN, or other similar mechanisms. It’s not as good as Tor browser, but may be a lot more accessible.