Hidden Services (v2) were easily weaker than their (currently alpha) counterparts and will become available in future releases of Tor. Since they’re available now, what process needs to be started to evaluate them – identify the areas for improvement – and then bring that back to the tor project folks and then get them to address those concerns?
The question of whether or not should we use PKI backed TLS in tor has already been answered, it is a big yes – and facebook is pretty much the only interaction most folks have on tor with TLS. Because EV’s aren’t cheap (and in most cases go against the nature of tor/hiddenservices in general.)
The question is now: Is a 256 bit ed25519 keypair based cryptosystem enough to root trust in? If not, I’ve got a story to tell you about BGP and SHA1, or DNS and a phone call to a registrar… I think the question as to how can you prove ownership of a hidden service backed system is as simple as making sure the LE registration authority can speak Tor.
The last piece, which I think is relevant for lots of reasons is: will .onion be designated a reservation/exception by ICANN such that we can make sure there won’t be .onion addresses in the clearnet ever. Facebook tried to make this a thing, and one of their own published RFC7686 which expands on IANA rules regarding special use Domains to make sure it’s agreed that this is the case.
And if you ask ICANN about it they believe in the idea, but want to make sure the process of reserving names through RFCs is sound. As of August the question is outstanding:
Question 2.2.3: Do you think Special Use Domain Names should be added to the Applicant Guidebook section on reserved names at the top level to prevent applicants applying for such labels?
– A good example would be .onion. Most people would like to keep special use domain names should be reserved.
– Question: How did the IETF RFC 6761 come into being? Response: Understanding that it would have been approved by the IETF. The bottom-up consensus building process is extremely robust. The process for all of the special use names in IETF is going under review. There are two ways that things go through: 1) through the working group and if it is judged not to be an end run it goes into a last call as an Internet draft in the IETF community before becoming an RFC. What is being talked about is how to do better coordination. Also, what is being discussed is why people need top-level names for their special use names, rather than second-level. It is quite a lengthy process. We were notified when .onion was going through.
What we are left with is, do the CAs now have enough confidence in the system that this is acceptable for DVs? Do they want to wait for ICANN to officially sanction the IEEE RFC process? Is there something more that Tor developers, or the community at large can do to make this happen?