Great summary Tom,
From my perspective, getting .onion reserved is a pretty high priority. Once reserved, we can really eliminate it as an internal name and get onion listed as part of the PSL. I'm happy to help with this part of the project if I can.
Syrup-tan had an idea on irc: Have a DV certificate sign a certificate
that is valid for the .onion URL, and display the URL of the DV
certificate. This doesn't eliminate phishing - I can register
facebok.com and then get that displayed. But doing bootstapping off
DNS and DV certificates is a fairly low bar in terms of the cost to a
.onion operator. (There are other concerns here, I'm not completely
comfortable with repurposing the EV indicator in this way. Asa on irc
had the good point that if we did this, maybe we'd want to change the
EV green to another color just to be a little bit different. Not that
I really expect users to notice that though...)
This is similar to what I was thinking by proposing that CAs have both a non-onion and onion name in it. If you do that and both are validated as part of the same certificate order, you could give users an indicator that the non-onion name is related to the onion name in the certificate.
Allowing an organization to purchase an EV certificate from a CA, and
display the organization's name in the address bar, is another way -
albeit a very high bar in terms of cost to an onion operator.
I'm hoping the cost won't be high - I'm interested in this solely as something that supports Tor and companies like Facebook who want to give users greater privacy. Like you, I'm not looking to make EV certs required for onion operators. Instead, I'd like to see them permitted under the industry standards for companies looking to prominently promote their onion services. The biggest penalty of requiring EV is that it locks out individuals - which is very bad. I've proposed EV for individuals several times on the forum. Probably time to bring it up again.
But there should be at least one more solution in
the short to long term (e.g. a petname approach). Unfortunately, if
the time between now and the 'long term' solution is too long, it
locks out everyone who can't get an EV cert - which is a legitimate
concern. Perhaps after there's a spec Tor likes, some large
organization concerned about preventing phishing could throw some
engineering time at the problem.
Jeremy