Certificates for Onion Services
14 days ago
- #TLS Certificates
- #ACME
- #Onion Services
- Certificates for Onion Services aim to integrate and validate TLS/HTTPS certificates, with some relying on Certificate Authorities (CAs) and others on alternative certification methods.
- Onion Services provide peer-to-peer encryption by default, but certificates are becoming necessary for functionalities like HTTP/2 and payment processing in web browsers.
- The ACME for Onions proposal seeks to automate certificate issuance for Onion Services, potentially becoming an Internet Standard.
- Benefits of HTTPS for Onion Services include enabling browser features like Secure Contexts, WebAuthn, and PaymentRequest, and supporting HTTP/2 and HTTP/3.
- Various proposals exist for certificate validation, including Existing CA validation, ACME for .onion, Self-signed certificates, and Onion-only CAs.
- Self-signed X.509 certificates derived from .onion addresses could avoid CA reliance but require client-side logic and browser support for Ed25519.
- The Same Origin Onion Certificates (SOOC) proposal aims to standardize self-signed certificate acceptance for .onion sites.
- DANE for .onion proposes using DNS records for certificate validation but faces limited browser support.
- Onion-only CAs would issue certificates only for .onion domains, simplifying validation but requiring CA adoption.
- Custom CAs and PKCS#11 modules offer alternative certification methods, with PKCS#11 being well-established but requiring OpenSSL support.