Rejo Zenger: > - How can a user reliably determine some .onion address actually > belongs to intended owner?
The user can call the admin and ask the admin to read aloud the key fingerprint. > - How is the provider of .onion service supposed to deal with a lost or > compromised private key, especially from the point of view from the > user of this service? How does the user know a .onion-address has > it's key revoke? Use any form of reliable communication to communicate the old key is unreliable. I am not aware of a revoke system. > By relying on > the certificate signed by a trusted CA, the user can be sure the site he > is connecting to is actually belongs to a particular entity. With a > .onion address that is no longer needed since those address are > self-authenticating. Sounds good. No. Through hacking or criminal intent the CAs are known to generate fake keys that are certificated too. This is why there is a SSL Observatory. With any certificate you get that. Not only ,onion addresses. And there are quite a few sites in clearnet with self-signed certificates. > As far as I can tell, Facebook has two solutions to this: it > mentions the correct address in presentations, blogs and press coverage > wherever it can and its TLS-certificate mentions both the .onion address > as well as it's regular address (as Subject Alt Names). This is why there might be any number of Fakebook.com, Faeebook.com, Facebook.net. The big players buy a lot of these domains and use the muscle to remove the others. But that is not for everybody. Cheers -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk