diff options
| author | Q <q@misell.cymru> | 2023-06-06 23:27:36 +0200 |
|---|---|---|
| committer | Q <q@misell.cymru> | 2023-06-06 23:27:36 +0200 |
| commit | 67f8481596b010c58c406ee5c5631202a59bfc6f (patch) | |
| tree | a025481fc9912c1888a4d688bde443a8957a5c84 /proposals/343-rend-caa.txt | |
| parent | cf44439a2c4cbbf843c66ea24f1842266a566d80 (diff) | |
| download | torspec-67f8481596b010c58c406ee5c5631202a59bfc6f.tar.gz torspec-67f8481596b010c58c406ee5c5631202a59bfc6f.zip | |
update 343-rend-caa to include guidance on the non mandatory state of CAA
Diffstat (limited to 'proposals/343-rend-caa.txt')
| -rw-r--r-- | proposals/343-rend-caa.txt | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/proposals/343-rend-caa.txt b/proposals/343-rend-caa.txt index f5d449f..0859690 100644 --- a/proposals/343-rend-caa.txt +++ b/proposals/343-rend-caa.txt @@ -3,6 +3,7 @@ Title: CAA Extensions for the Tor Rendezvous Specification Author: Q Misell <q@as207960.net> Created: 2023-04-25 Status: Open +Ticket: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/716 Overview: The document defines extensions to the Tor Rendezvous Specification Hidden @@ -22,8 +23,11 @@ Motivation: As Tor hidden service domains are not in the DNS another way to provide the same security benefits as CAA does in the DNS needed to be devised. + It is important to note that a hidden service is not required to publish a CAA + record to obtain a certificate, as is the case in the DNS. + More information about this project in general can be found at - https://e.as207960.net/w4bdyj/Gm2AylEF + https://acmeforonions.org. Specification: To enable maximal code re-use in CA codebases the same CAA record format is @@ -62,10 +66,10 @@ Specification: [At most once] Security Considerations: - The second layer descriptor is signed and MACed in a way that only a party - with access to the secret key of the hidden service could manipulate what is - published there. Therefore, Tor CAA records have at least the same security as - those in the DNS secured by DNSSEC. + The second layer descriptor is signed, encrypted and MACed in a way that only + a party with access to the secret key of the hidden service could manipulate + what is published there. Therefore, Tor CAA records have at least the same + security as those in the DNS secured by DNSSEC. The "caa-critical" flag is visible to anyone with knowledge of the hidden service's public key, however it reveals no information that could be used to @@ -104,4 +108,4 @@ References: [tor-rend-spec-v3] The Tor Project, "Tor Rendezvous Specification - Version 3", - <https://spec.torproject.org/rend-spec-v3>. + <https://spec.torproject.org/rend-spec-v3>.
\ No newline at end of file |