use references instead of inline markdown links

This is more readable outside of Emacs (which elides link targets).

tsa/howto/tls.mdwn

-TLS is the [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) protocol, previously known as
-SSL and also known as [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on the web. This page documents how
+TLS is the [Transport Layer Security][] protocol, previously known as
+SSL and also known as [HTTPS][] on the web. This page documents how
 TLS is used across the TPA infrastructure and specifically how we
-manage the related [X.509](https://en.wikipedia.org/wiki/X.509) certificates that make this work.
+manage the related [X.509][] certificates that make this work.
 
+[X.509]: https://en.wikipedia.org/wiki/X.509
+[HTTPS]: https://en.wikipedia.org/wiki/HTTPS
+[Transport Layer Security]: https://en.wikipedia.org/wiki/Transport_Layer_Security
 [[!toc levels=3]]
 
 # Tutorial
@@ -81,7 +84,9 @@ Then remove the file.
 ## Enabling HPKP
 
 HPKP is generally considered DEPRECATED. It has been [disabled in
-Google Chrome in 2017](https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/) and should generally not be used anymore.
+Google Chrome in 2017][] and should generally not be used anymore.
+
+[disabled in Google Chrome in 2017]: https://www.zdnet.com/article/google-chrome-is-backing-away-from-public-key-pinning-and-heres-why/
 
 This section should generally be skipped unless you *really* need key
 pinning for some obscure reason.
@@ -165,19 +170,25 @@ But there are other certificate authorities in use inside TPA and,
 more broadly, at Tor. Here's the list of known CAs in operation at the
 time of writing (2020-04-15):
 
- * [Let's Encrypt](https://letsencrypt.org): automatically issues certificates for most websites
+ * [Let's Encrypt][]: automatically issues certificates for most websites
    and domains, managed by TPA
- * [Globalsign](https://globalsign.com): used by the [Fastly](https://www.fastly.com/) CDN used to distributed
+ * [Globalsign][]: used by the [Fastly][] CDN used to distributed
    TBB updates
- * [Digicert](https://www.digicert.com/): used by other teams to sign software releases for Mac and Windows
+ * [Digicert][]: used by other teams to sign software releases for Mac
+   and Windows
  * [[Puppet]]: our configuration management infrastructure has its own
    X.509 certificate authority which allows "Puppet agents" to
    authenticate and verify the "Puppet Master", see [[our
-   documentation|puppet]] and [upstream documentation](https://puppet.com/docs/puppet/latest/ssl_certificates.html) for details
+   documentation|puppet]] and [upstream documentation][] for details
  * internal "auto-ca": all nodes in Puppet get their own X.509
    certificate signed by a standalone, self-signed X.509 certificate,
    documented below
 
+[upstream documentation]: https://puppet.com/docs/puppet/latest/ssl_certificates.html
+[Digicert]: https://www.digicert.com/
+[Fastly]: https://www.fastly.com/
+[Globalsign]: https://globalsign.com
+[Let's Encrypt]: https://letsencrypt.org
 ### Internal auto-ca
 
 The internal "auto-ca" is a standalone certificate authority running
@@ -289,11 +300,13 @@ Nagios as well, on top of the above checks.
 ## Overview
 
 There are no plans to do major changes to the TLS configuration,
-although [review of the cipher suites](https://trac.torproject.org/projects/tor/ticket/32351) is in progress (as of April
+although [review of the cipher suites][] is in progress (as of April
 2020). We should have mechanisms to do such audits on a more
 regular basis, and facilitate changes of those configurations over the
 entire infrastructure.
 
+[review of the cipher suites]: https://trac.torproject.org/projects/tor/ticket/32351
+
 <!-- the Goals, Approvals, Proposed solutions and Cost sections have -->
 <!-- been removed from the template because we don't have any big -->
 <!-- project on the TLS infra at the moment -->