A project to standardise extensions to the ACME protocol to allow its use for issuing TLS certificates to Tor hidden services.

Many sites offer Tor service via a .onion address, especially sites which may otherwise be blocked in certain regions of the world. Examples include news sites debunking oppressive regime propaganda and sites providing support to LGBTQ+ individuals in areas where such things are illegal. These services are undeniably a good service for humanity and greater security for these would be a net benefit to society.

Currently getting TLS certificates for .onion domains is both extremely expensive, time consuming, or both. Many of these .onion sites do not have TLS, leaving their users more vulnerable to interception of their data. An area of concern with .onion sites in relation to issuing certificates is the lack of any Domain Name System (DNS) for .onion addresses.

The Automated Certificate Management Environment (ACME) defines challenges for validating control of DNS identifiers, and whilst a “.onion” domain may appear as a DNS name, it requires special consideration to validate control of one such that ACME could be used on “.onion” domains.The goal of this project is to standardise how ACME can be used to issue certificates to .onion domains automatically, and to get CAs to implement the eventual standard.