Does external cert validation for onion domains even make sense? I thought the "domain name" was already the hash of some public key that is used in the normal encryption of the onion router - so there is already a mandatory cryptographic proof that the service you're talking with "owns" the domain. What additional security benefit would CA-signed certs bring?

Item 9 on their list of reasons is going to be applicable for the set of Onion services that overlap things that should exist conventionally. It says you can use this proof-of-control for an .onion name, then use conventional methods for any other name, then bind both names to the same TLS public key and thus to each other.

So that means e.g. www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion can have a certificate which also names www.facebook.com giving you confidence that it's not just some crook who wanted to impersonate facebook and also generated a key to match the name prefix.

The site where you can hire assassins for Bitcoin presumably does not have a legit web presence, but the site where you can order abortion pills in unmarked packaging sure does even if you must use Tor to access it from where you live.

>I thought the "domain name" was already the hash of some public key

With v3 it's the ed25519 key with a checksum.

For something like a Cwtch address or your personal dissident blog criticizing Emutopia, it's enough your contacts get the address from you personally or that they find it some other way and pin the site to bookmarks for TOFU.

But with public services like Duckduckgo onion service, it's possible for people to trivially spin up their own unique per-target MITM proxy server instance, and share the link to their friends, bookmark it to their SO's Tor browser and MITM their connections, poison link repositories, or official links on wikipedia pages etc.

Having a CA validate you own the clearweb site first helps mitigate this stuff to some extent. Problem is of course, will the user know if they're supposed to be expecting a cert for a page they visit the first time.

(I wonder if Tor browser could have a list of pinned onion addresses with "clearweb_equivalent_of" field for this, and you could easily check that from the site security badge.)

They write the following reason in the article: But as the web and other internet technologies mature, certificates are starting to be a requirement in order to unleash functionalities, especially in web browsers, such as the faster connection protocol HTTP/2 and payment processing.

> Does external cert validation for onion domains even make sense? […] What additional security benefit would CA-signed certs bring?

Yes, and the page/documents explain some use cases:

> The two ACME-defined methods allowed by CA/BF described in Sections 3.1.2 and 3.1.3 (http-01 and tls-alpn-01) do not allow issuance of wildcard certificates. A ".onion" Special-Use Domain Name can have subdomains (just like any other domain in the DNS), and a site operator may find it useful to have one certificate for all virtual hosts on their site. This new validation method incorporates the specially signed Certificate Signing Request (CSR) (as defined by Appendix B.2.b of [cabf-br]) into ACME to allow for the issuance of wildcard certificates.

* https://datatracker.ietf.org/doc/html/rfc9799#name-new-onion...

> Some Hidden Services do not wish to be accessible to the entire Tor network, and so they encrypt their Hidden Service Descriptor with the keys of clients authorized to connect. Without a way for the CA to signal what key it will use to connect, these services will not be able to obtain a certificate using http-01 or tls-alpn-01, nor enforce CAA with any validation method.

> To this end, an additional field in the challenge object is defined to allow the ACME server to advertise the Ed25519 public key it will use (as per the "Authentication during the introduction phase" section of [tor-spec]) to authenticate itself when retrieving the Hidden Service Descriptor.

* https://datatracker.ietf.org/doc/html/rfc9799#name-new-onion...

"Doesn't make sense for us but mandated by policy" is a super common phenomenon that you'll sadly encounter all the time in the industry. Especially when it comes to security. In this case it's at least motivated by something as peripheral as onion services wanting to fit in with the browser ecosystem, which, fair, maybe it doesn't make sense for browsers to bloat their designs by taking onion services into account, and then onion services have to adapt to modern browser standards.

A certificate is just a fancy way of saying one key pair signed a message containing another public key. It is a link in a cryptographic chain of trust. Given that you already trust a public key, you should also trust some other public key with certain caveats because the first public key signed a message containing the second key and whatever else. A list of allowed domain names is a possible caveat.

An onion address is more like an IP address, except it is stable for hosts across time, and it contains enough information to cryptographically prove identity. It may be true that the browser interprets it as a domain name, but it is really operating at the network level where Tor is the network.

A certificate for a Tor address means you can go from DNS to a Tor address because the certificate will contain a list of allowed domains and the tor address contains a public key, same as usual.

The section Benefits (after Introduction) lists 9 reasons why it makes sense. Some of them are about working around a mismatch with existing standards, but not all.