Delivery-Date: Fri, 02 Jan 2015 03:41:38 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,URIBL_BLOCKED
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 763951E03D3
	for <archiver@seul.org>; Fri,  2 Jan 2015 03:41:37 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 71C6E32523;
	Fri,  2 Jan 2015 08:41:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 15A52324FB
 for <tor-talk@lists.torproject.org>; Fri,  2 Jan 2015 08:41:31 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 6EgDHODkT9pk for <tor-talk@lists.torproject.org>;
 Fri,  2 Jan 2015 08:41:31 +0000 (UTC)
Received: from forward4l.mail.yandex.net (forward4l.mail.yandex.net
 [84.201.143.137])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "forwards.mail.yandex.net",
 Issuer "Certum Level IV CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id DCACC324CB
 for <tor-talk@lists.torproject.org>; Fri,  2 Jan 2015 08:41:30 +0000 (UTC)
Received: from smtp17.mail.yandex.net (smtp17.mail.yandex.net [95.108.252.17])
 by forward4l.mail.yandex.net (Yandex) with ESMTP id C9A801440D8C
 for <tor-talk@lists.torproject.org>; Fri,  2 Jan 2015 11:41:25 +0300 (MSK)
Received: from smtp17.mail.yandex.net (localhost [127.0.0.1])
 by smtp17.mail.yandex.net (Yandex) with ESMTP id 65870190013B
 for <tor-talk@lists.torproject.org>; Fri,  2 Jan 2015 11:41:25 +0300 (MSK)
Received: from cs-tor.bu.edu (cs-tor.bu.edu [204.8.156.142])
 by smtp17.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id fwQeMFhicW-fHI4dSan; 
 Fri,  2 Jan 2015 11:41:21 +0300
 (using SSLv3 with cipher AES128-SHA (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail;
 t=1420188084; bh=fqXKlwO+nZRizcqG2MbpPch9ProhpDORbzzferUJLac=;
 h=Date:From:To:Subject:Message-ID:In-Reply-To:References:X-Mailer:
 Mime-Version:Content-Type:Content-Transfer-Encoding;
 b=KSmm1V8RnEPmUreBHpEU31/GwhFwpLVhoOk+mU9SU8oGkKS8iQtInUP29RS7XDMe2
 6hCwMzyAWfOCkLk8Vc+ghRk0GbBzql/Z4vkffKSb3r1jA/cVJDNiFwbFd6DxJNEqRq
 gshzkX3PvkS/ewbXARXKzklHv3+cjp9uQN12fF48=
Authentication-Results: smtp17.mail.yandex.net; dkim=pass header.i=@yandex.com
Date: Fri, 2 Jan 2015 18:40:44 +1000
From: Katya Titov <kattitov@yandex.com>
To: tor-talk@lists.torproject.org
Message-ID: <20150102184044.405d1163@localhost.localdomain>
In-Reply-To: <54A63A1A.50307@riseup.net>
References: <54A4A69B.4020803@riseup.net>
 <20150101132852.73822cef@localhost.localdomain>
 <54A4C6BF.3040207@riseup.net>
 <20150101143551.00c64c7e@localhost.localdomain>
 <218CCDA8-6BB7-4C1C-B806-A1CEAB42A1C0@riseup.net>
 <20150101170451.33e950e6@localhost.localdomain>
 <54A59E83.1080300@riseup.net>
 <20150102104622.3e5fb008@localhost.localdomain>
 <0BE4AC7A-4DA6-4F56-8B88-9C2B93E9FC7A@riseup.net>
 <CADop2NEx22J2qGspApv588uC8o32OmS8zzV5yyek_UxtMxZGiw@mail.gmail.com>
 <CAJaLD9+M8EErJ11LRGQYrYLOf+9+8dQL6RawC+3UY-ojLd=sWQ@mail.gmail.com>
 <54A607EB.1020505@riseup.net>
 <CADop2NE5tY_97XdYY=UWfd_xvbByPqd95LW4Z8G4Q+m44n-YZQ@mail.gmail.com>
 <54A62DB2.5010806@metaverse.org> <54A63A1A.50307@riseup.net>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Subject: Re: [tor-talk] Giving Hidden Services some love
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Thomas White:
> The whole CA system is a broken model in many ways yes, but that
> doesn't mean we should totally disregard it. We can work with the CA's
> to build up a standing as long as we don't forget that CA's are no
> requirement to legitimacy. If a standard is set by the CA community
> this paves the way to other pushes and can be seen as a credential
> that this isn't some fad or "criminal" tool, but is a genuine and
> useful tool in this day and age.

This is an excellent point. Add to that the fact that we've been
telling people to check for the padlock for the better part of 20
years and we're finally seeing it roll out almost across the board. I
would think it's a little too early to move on to something else.

That being said, another option is to ditch the CAs and and use a TOFU
(trust on first use) and certificate transparency approach for .onion
domains within TBB. That gives us self-signed certificates and
reasonable security without warnings being presented to the user. The
Certificate Patrol and Perspectives plugins (and others) may be able to
be re-purposed.

Another thought: is it possible to tie the certificate's private key to
the private key of the hidden service and have TBB (or Tor) verify that?
-- 
kat
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

