[cabfpub] .onion proposal
brian at briansmith.org
Wed Nov 19 13:26:26 MST 2014
Gervase Markham <gerv at mozilla.org> wrote:
> I'm in support of this in principle. There are two issues with 'normal'
> internal server names:
> 1) It's not possible to prove exclusive ownership of them (because they
> aren't exclusively owned);
> For .onion names, problem 1) does not apply.
That is only true assuming you can rely on the second-preimage
resistance of truncated SHA-1, like Ryan pointed out. I think his
point is that the second-preimage resistance of truncated SHA-1 is not
strong enough to make claims like this. (Ryan: Sorry if I'm
misunderstanding you. Corrections appreciated.) I think that concern
should be addressed. This is one reason I suggested to limit the
maximum lifetime of .onion certificates.
More information about the Public