On Mon, Jan 26, 2026 at 06:37:41PM +0100, dzwdz via tor-dev wrote: > Do server providers even allow you to use a domain that you don't own (such > as the proposed *.home.arpa)? That sounds like it could lead to issues for > them down the line, e.g. if a customer comes along who owns a domain I > "squatted" for my server. Thus, even if this is permitted nowadays, I > wouldn't be surprised if they start locking this down.
Tor TLS certificates are self-signed, the names in there can be anything. Ranging from a random string ending with ".com" to even things such as google.com. The point is, that the trust for authenticity in Tor itself is established outside of TLS certificates with various in-protocol mechanisms. With regard to home.arpa: This domain is specifically reserved in RFC8375. It can be used by anyone without permission. Even outside of this proposal, I think that this is way better than generating a random string and appending .com to it, like what we are doing at the current moment, and what you are asking if this is even allowed in the first place; to which the answer is a clear yes, as this is the status quo. > Back to my first point, maybe relays should be able to set an arbitrary SNI > instead? This would be much more flexible for e.g. when your provider > requires you to actually own the used domain, but it also would mean that > most relays could keep using the randomly generated domains. But how would you communicate that domain to clients? The SNI must be known to clients for use in their `ClientHello`, similar to a host in a `Host` HTTP header. AFAIK, IP addresses may not be used as FQDNs in SNIs. Thank You Clara _______________________________________________ tor-dev mailing list -- [email protected] To unsubscribe send an email to [email protected]
