> sign a > self-signed tls certificate with your Onion Service's hs_ed25519_secret_key > and Tor Browser trusting the tls certificate based on this signature
- In unlikely case tor crypto fails or breaks, e2e TLS is good there. - An admin might terminate onions on one box, and forward the plaintext off to other places, e2e TLS is good there. - Onionland does have some PKI, CA, pinning, and tor signing infrastructures. - Admins might want to play, learn, and do it just because they can. The browser either has options to import and trust an onion sig over a cert, or you need to add it, or skip it and use today's typical cert methods. The concepts apply to both v2 and v3 onions. > Would this approach work? Manually for you, and by users, loading and configuring things, yes. Automagically, browser would need to fetch pubkeys from controller hsdir consensus, observatories, or other methods. > Would it be worth the effort? For whatever ca / pki structures are already good for, or not. And might help against the rewriting onion proxies... _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev