Certificates for Onion Services¶
This document tracks existing procedures or proposals for integrating and validating TLS/HTTPS certificates for Onion Services.
While some depends on Certificate Authorities (CA) model, others rely on alternative certification and validation procedures that does not require built-in certificate chains in the client software or reliance on financial transactions.
Whenever you browse the internet regularly, the connection between your computer and a service is usually encrypted, and the safety of this communication happens through the verification of a special type of certificate.
With Onion Services, the connection is peer-to-peer encrypted by default, which means that no additional certificates are needed.
But as the web and other internet technologies mature, certificates are starting to be a requirement in order to unleash functionalities, especially in web browsers, such as the faster connection protocol HTTP/2 and payment processing.
That's why it's important to improve the certificate ecosystem to fully support Onion Services.
This is a hard problem, and an ongoing effort, but there has been some important work done to solve this.
The most relevant one should bring automation to the process of issuing certificates for Onion Services, through an enhancement in a protocol called ACME.
The ACME for Onions proposal is composed of tools and also an Internet Draft, which hopefully will turn into an Internet Standard soon.
... continue reading