Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2013-10-26 📝 Original message:One limitation of the ...
📅 Original date posted:2013-10-26
📝 Original message:One limitation of the payment protocol as speced is that there is no
way for a hidden service site to make use of its full authentication
capability because they are unable to get SSL certificates issued to
them.
A tor hidden service (onion site) is controlled by an RSA key.
It would be trivial to pack a tor HS pubkey into a self-signed x509
certificate with the cn set to foooo.onion.
If we specified in the payment protocol an additional validation
procedure for [base32].onion hosts that just has it hash and base32
encode the pubkey (as tor does) then the payment protocol could work
seamlessly with tor hosts. (Displaying that the payment request came
from "foooo.onion"). I believe that the additional code for this
would be trivial (and I'll write it if there is support for making
this a standard feature).
This would give us an fully supported option which is completely CA
free... it would only work for tor sites, but the people concerned
about CA trechery are likely to want to use tor in any case.
Thoughts?
📝 Original message:One limitation of the payment protocol as speced is that there is no
way for a hidden service site to make use of its full authentication
capability because they are unable to get SSL certificates issued to
them.
A tor hidden service (onion site) is controlled by an RSA key.
It would be trivial to pack a tor HS pubkey into a self-signed x509
certificate with the cn set to foooo.onion.
If we specified in the payment protocol an additional validation
procedure for [base32].onion hosts that just has it hash and base32
encode the pubkey (as tor does) then the payment protocol could work
seamlessly with tor hosts. (Displaying that the payment request came
from "foooo.onion"). I believe that the additional code for this
would be trivial (and I'll write it if there is support for making
this a standard feature).
This would give us an fully supported option which is completely CA
free... it would only work for tor sites, but the people concerned
about CA trechery are likely to want to use tor in any case.
Thoughts?