On 31 October 2014 08:05, AntiTree <antit...@gmail.com> wrote: > I find the interesting part the fact that they got a CA to sign a .onion > domain certificate. Is that normal?
No, this is the first time it's ever happened. On 31 October 2014 09:20, AntiTree <antit...@gmail.com> wrote: > I'm still wondering how one verifies ownership of a .onion domain? Oh it'd be pretty easily, technically. an onion domain is a fingerprint of the public key - sign a statement with the private key, and you can verify ownership pretty easily. I don't know if that's what DigiCert did, but I find the 'How do you even verify that?!' argument to be fairly uninteresting. > You > aren't going to look at the WHOIS record and send an email to the > technical contact on file or send an email to postmaster@xxx.onion. Do > large companies like FB have a fast track for getting odd requests? Of course - companies that pay 5 figures or more to CAs per year can certainly call them up and ask after odd things. Don't view it as conspiracy, it's how business works - pay more, get better service. It doesn't mean you can get anything you ask, but you can make them say no to you. :) For example, when you ship a hardware device with one root CA, you need to make sure that when you buy your next certificate from the company, it's signed by an intermediate chained up to that root CA. That's a reasonable request. Request a 512-bit certificate - they're going to say no. If one is interested in the CA-aspect of this, I encourage you to read the CABForum thread: https://cabforum.org/pipermail/public/2014-October/thread.html#4210 and Tor's thoughts: (Part 4) https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs -tom -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
