Delivery-Date: Wed, 19 Aug 2015 13:35:04 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 2C23C1E0A89;
	Wed, 19 Aug 2015 13:35:03 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 479B13673B;
	Wed, 19 Aug 2015 17:34:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 24CBD36728
 for <tor-talk@lists.torproject.org>; Wed, 19 Aug 2015 17:34:54 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id otG-xIsaow2H for <tor-talk@lists.torproject.org>;
 Wed, 19 Aug 2015 17:34:54 +0000 (UTC)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 05DD43671F
 for <tor-talk@lists.torproject.org>; Wed, 19 Aug 2015 17:34:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org;
 s=mail2; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date;
 bh=7rjuhYULr7/xct/DjqwVeDHWfY+2X7He95l+fJ/wvac=; 
 b=bQ3XLKQD/1d1p5TGe/3tmI7dsbRDjW0JsMujDAi19JEfvAeQgTdvzeaswp21MmAsimBZxm2K8UCRDzelHi5CaD4mf2OFMtJJQkMxSSo4//asuE78dJScAOBEbtl88f0FZkV1TGEuEeL3w/AZsldme6R3J+7mDSyMyBpnTBezVnc=;
Received: ; Wed, 19 Aug 2015 10:34:52 -0700
Date: Wed, 19 Aug 2015 10:34:52 -0700
From: Seth David Schoen <schoen@eff.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150819173452.GT9483@mail2.eff.org>
References: <55D45D3B.3070401@infosecurity.ch>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <55D45D3B.3070401@infosecurity.ch>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] Letsencrypt and Tor Hidden Services
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Fabio Pietrosanti (naif) - lists writes:

> Hello,
> 
> does anyone had looked into the upcoming Letsencrypt if it would also
> works fine with Tor Hidden Services and/or if there's some
> complexity/issues to be managed?
> 
> As it would/could be interesting if Tor itself would support directly
> letsencrypt to load TLS certificate on TorHS.

Hi, I'm working on the Let's Encrypt project.  A difficulty to contend
with is that the certificate industry doesn't want certs to be issued
for domain names in the long term unless the names are official in
some way -- to ensure that they have an unambiguous meaning worldwide.
The theoretical risk is that someone might use a name like .onion in
another way, for example by trying to register it as a DNS TLD through
ICANN.  In that case, users might be confused because they meant to use
a name in one context but it had a different meaning that they didn't
know about in a different context.

Right now, the industry allows .onion certs temporarily, but only EV
certs, not DV certs (the kind that Let's Encrypt is going to issue),
and the approval to issue them under the current compromise is going
to expire.

It's seemed like the efforts at IETF to reserve specific "peer-to-peer
names" would be an important step in making it possible for CAs to issue
certs for these names permanently.  These efforts appeared to get somewhat
bogged down at the last IETF meeting.

https://gnunet.org/ietf93dnsop

(I'm hoping to write something on the EFF site about this issue, which
may have kind of far-reaching consequences.)

Anyway, I would encourage anyone who wants to work on this issue to get
in touch with Christian Grothoff, the lead author of the P2P Names draft,
and ask what the status is and how to help out.

Theoretically the Tor Browser could come up with a different optional
mechanism for ensuring the integrity of TLS connections to hidden services
(based on the idea that virtually everyone who tries to use the hidden
services is using the Tor Browser code).  I don't know whether the Tor
Browser developers currently think this is a worthwhile path.  I can
think of arguments against it -- in particular, the next generation hidden
services design will provide much better cryptographic security than the
current HS mechanism does, so maybe it should just be a higher priority
to get that rolled out, rather than trying to make up new mechanisms to
help people use TLS on hidden services.

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

