- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 16 May 2012 17:41:49 +0200
- To: tor-talk@lists.torproject.org
- Cc: public-webid <public-webid@w3.org>
I suppose you are speaking to me, and my proposal of doing WebID with onion urls. (using the protocol described at http://webid.info/spec/ ) On 16 May 2012, at 16:57, tor user22 wrote: > May be a silly question, but why TOR does not use http traffic encrypted > with shared key instead of using SSL ( like Your-Freedom project)? We know how to do WebID with SSL, but not yet how to do it with Tor encryption. Perhaps the same technique could be applied to Tor encryption too (I don't know how Tor works in detail, so I can't tell yet). Thinking about this I can now see that one issue with using WebID+TLS with Tor encryption: namely how to the client can authenticate the server with TLS. When we are not dealing with Tor, we can rely on Certificate Authorities (not an ideal solution, but one that allows us to get going, that works in most browsers, and that is satisfactory for business, that need legal backing anyway to operate), or in the future with IETF's DANE ( http://tools.ietf.org/wg/dane/ ) I don't think either of these would work with Tor though. A year ago, when thinking about how one could do WebID without using DNS, I came up with an httpk scheme on the FreedomBox mailing list http://lists.w3.org/Archives/Public/public-xg-webid/2011Mar/0068.html This was before I had heard of Tor. The idea was that one could have urls of the form httpk://ash12sdfs19kd3/my/foaf where the public key would be part of the URL ( ash12sdfs19kd3 above) and that this could then be used by a modified TLS client to verify the authenticity of the server it had connected to. Of course this won't be something that is part of the browser at this point, but it could be part of the FreedomBox stack, and we could use our freedombox to interact with other FreedbomBoxes using this protocol. httpk does not seem very far from onion urls (but I don't know exactly how onion urls work - any good pointer?) If onion urls work like my suggested httpk scheme, then perhaps there is something that can be done at that level. > > so encrypted http traffic would be routed through TOR network , this would > be useful in countries where using SSL or HTTPS is forbidden. I think that if https is forbidden, then Tor is forbidden too. A country where encryption is forbidden will of course quickly loose its ability to compete in the internet world, as they won't be able to keep secrets from their enemies/ competitors. I think the problem with https is at a different layer as explained above: the client has to be able to authenticate the server somehow. Tor does this. So the question is can we use something in Tor to do what client certificates do in TLS? Henry > > Best, > _______________________________________________ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Social Web Architect http://bblfish.net/
Received on Wednesday, 16 May 2012 15:42:22 UTC