On Sat, Jan 16, 2016 at 10:22:50PM +0100, Rejo Zenger wrote: > Hi! > > I'm wondering... > > - How can a user reliably determine some .onion address actually > belongs to intended owner? > > - How is the provider of .onion service supposed to deal with a lost or > compromised private key, especially from the point of view from the > user of this service? How does the user know a .onion-address has > it's key revoke? >
For a description of what one can do now via GPG, and a plan for integration with Certificate Authorities (for the little guy, not just, e.g., Facebook), see https://github.com/saint/w2sp-2015/blob/master/SP_SPSI-2015-09-0170.R1_Syverson.pdf Note: this is specifically focused on onionsites that have registered domains with which to associate. The GPG approach could be used without a registered domain associated. (And in a previously published paper also on saint's github, we noted that this could work for Wordpress blogs or Facebook pages, not just domains registerd by the onionsite owner.) Or one could use keybase, etc. I just want people to know the scope of what is being attempted in this work. aloha, Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
