<div dir="ltr">The BRs are clear in Section 9.2.1 that putting values other than dNSName and iPAdress in a SAN are PROHIBITED. It states very clearly that the entries of this type MUST be of these two forms.<div><br></div><div>This is because the BRs describe precisely how to validate these information fields. Other field types, such as URI or rfc822name, are NOT described for how to validate in the BRs, and thus are prohibited (as part of the general restrictions of the BRs to prohibit any unvalidated information / any information that's not consistently validated).</div><div><br></div><div>Similarly, per Section 9.2.1, the names .onion and .exit constitute Internal Server Names, and are thus deprecated and STRONGLY discouraged. We would not support any CA issuing for such names.</div><div><br></div><div>If and when such a time as IANA or the IETF takes action to indicate that these are Reserved Domain Names, they would still constitute Internal Server Names and thus not be permissable to issue, the same as issuing a certificate for foo.localhost would not be valid.<br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 22, 2014 at 6:40 PM, Jeremy Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Any thoughts from the browers on Peter's idea? Can CAs use SANs options other than DNS Name for this type of information? Do browsers use the other options?<br>
<span class="HOEnZb"><font color="#888888"><br>
Jeremy<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
-----Original Message-----<br>
From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>] On Behalf Of Jeremy Rowley<br>
Sent: Friday, October 17, 2014 8:21 AM<br>
To: Gervase Markham; Adam Langley<br>
Cc: Phillip Hallam-Baker; CABFPub<br>
Subject: Re: [cabfpub] .onion and .exit<br>
<br>
Adding Peter Bowen's comment to the discussion:<br>
<br>
What about using the uniformResourceIdentifier option for subjectAlternativeName?<br>
<br>
The Baseline Requirements say "Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server", which would appear to rule this out, but I'm not sure if that was the intention. Do the BRs really mean to disallow putting rfc822Name, directoryName, or other types of names in the SAN?<br>
<br>
Thanks,<br>
Peter<br>
<br>
<br>
-----Original Message-----<br>
From: Gervase Markham [mailto:<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>]<br>
Sent: Friday, October 17, 2014 3:18 AM<br>
To: Jeremy Rowley; Adam Langley<br>
Cc: Phillip Hallam-Baker; CABFPub<br>
Subject: Re: [cabfpub] .onion and .exit<br>
<br>
On 16/10/14 18:01, Jeremy Rowley wrote:<br>
> I asked a couple of companies who have requested these types of certs<br>
> about this and here is one reason for wanting a cert:<br>
<br>
It looks like the real issue here is proving real-world ownership and control of .onion addresses, either by tying them to an existing real-world website (DV with multiple SANs) or an identity (EV).<br>
<br>
In the EV case, the UI would show the tied identity, but not in the DV case. Although the Tor Browser Bundle could be updated to do something smart - if there's a .onion address, instead show the DNS name from the first non-onion SAN, or something.<br>
<br>
(You may remember a while back I suggested that internal server name certs should have at least one globally-resolvable name in, and that browsers should display that instead, even if the internal name was used. This is a similar idea.)<br>
<br>
Gerv<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
</div></div></blockquote></div><br></div></div></div>