Opened 4 years ago

Last modified 8 months ago

#18696 new enhancement

.onion names contain their own validator, we should use that

Reported by: huseby Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: asn Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor27

Description

Companion bug to https://bgz.la/1250696

I'd like to get feedback on this proposal.

The idea is to allow TBB to accept a self-signed trust root cert if the hash of the public key matches the .onion address. This will allow servers running as .onion sites to generate strong/modern TLS certs that are signed by a self-signed root cert containing the .onion public key.

This should allow us to get around the DV cert problem and allow valid .onion TLS certs be validated by the .onion name and have strong/modern TLS certs.

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by cypherpunks

Component: - Select a componentTor Browser
Owner: set to tbb-team

comment:2 Changed 2 years ago by tokotoko

Cc: fdsfgs@… added

comment:3 Changed 2 years ago by tokotoko

Cc: fdsfgs@… removed

comment:4 Changed 8 months ago by gk

Cc: asn added
Sponsor: Sponsor27

asn: What do you think?

comment:5 Changed 8 months ago by asn

Hm. This seems plausible in terms of design and use cases. Not sure how it interacts with all the other onion DV proposals that have been proposed. e.g. https://github.com/alecmuffett/onion-dv-certificate-proposal

Note: See TracTickets for help on using tickets.