Certificates for Onion Services

Summary

Certificates for Onion Services About This document tracks existing procedures or proposals for integrating and validating TLS/HTTPS certificates for Onion Services. While some depends on Certificate Authorities (CA) model, others rely on alternative certification and validation procedures that does not require built-in certificate chains in the client software or reliance on financial transactions. Introduction Whenever you browse the internet regularly, the connection between your computer and a service is usually encrypted, and the safety of this communication happens through the verification of a special type of certificate. With Onion Services, the connection is peer-to-peer encrypted by default, which means that no additional certificates are needed. But as the web and other internet technologies mature, certificates are starting to be a requirement in order to unleash functionalities, especially in web browsers, such as the faster connection protocol HTTP/2 and payment processing. That's why it's important to improve the certificate ecosystem to fully support Onion Services. This is a hard problem, and an ongoing effort, but there has been some important work done to solve this. The most relevant one should bring automation to the process of issuing certificates for Onion Services, through an enhancement in a protocol called ACME. The ACME for Onions proposal is composed of tools and also an Internet Draft, which hopefully will turn into an Internet Standard soon. We are also looking into other, non-conflicting alternatives that can also be used for certification, so service operators can decide which one fits best their use case. Improving the certificate functionality will put Onion Services in parity with the modern stack of web development. Benefits It may be argued that Onion Services connections are already self-authenticated -- since the public key and the URL are tied together and the connection is peer-to-peer encrypted --, and thus making the need f...