GitLab

https://blog.torproject.org/comment/288030#comment-288030

pastly commented that the current phrasing implies Tor Browser will send the private key to the onion service (because the onion service "requested it").

pastly, subsequently, suggested something like "foo.onion requires you to authenticate. Please enter the private key for your identity with this onion service".

The message should imply that the private key is needed for authentication, but the key is only used locally to prove possession of it (via crypto magic), and the key is not actually sent to the onion service.

Related: legacy/trac#30237 (moved)