WKD - .onion redirects mapping

Phil Pennock gnupg-users at spodhuis.org
Tue Aug 4 20:06:07 CEST 2020

On 2020-08-04 at 16:46 +0200, Werner Koch via Gnupg-users wrote:
> Yes, privacy.  But that is just a welcome side-effect.  What we need is
> that the domain is authenticated so that we can consider the key to be
> valid at a certain level.  I see no way how you can do this via an
> anonymizer because the two goals are in contradiction.

Isn't that what a static mapping file accomplishes?  Not a good
longer-term solution, but buys the ability to explore the problem space.

Eg, there could be DNSSEC-signed records in DNS saying "this string is
equivalent for TOR".  If DNS is routed over TOR then the object signing
gives you that assurance.  You get privacy and assurance.  DNSSEC means
you no longer need to care how you get the responses, provided that
there's a DS trust chain down to the result you want.

So spitballing wildly, `_tor_https.example.org` as a set of TXT records
could provide one domain each which are equivalent.


More information about the Gnupg-users mailing list