<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks Ryan. Adam didn't see as strongly opposed as you are in this
email. Also, Adam was going to reach out to Tor and get them to
provide input. Is that still happening?<br>
<br>
Jeremy<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/23/2014 3:30 PM, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvZBz6W1P9oM+xe_df7m19ZeRuTp1wsLqAsZ+d9tXXuTaA@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">The BRs are clear in Section 9.2.1 that putting
values other than dNSName and iPAdress in a SAN are PROHIBITED.
It states very clearly that the entries of this type MUST be of
these two forms.
<div><br>
</div>
<div>This is because the BRs describe precisely how to validate
these information fields. Other field types, such as URI or
rfc822name, are NOT described for how to validate in the BRs,
and thus are prohibited (as part of the general restrictions
of the BRs to prohibit any unvalidated information / any
information that's not consistently validated).</div>
<div><br>
</div>
<div>Similarly, per Section 9.2.1, the names .onion and .exit
constitute Internal Server Names, and are thus deprecated and
STRONGLY discouraged. We would not support any CA issuing for
such names.</div>
<div><br>
</div>
<div>If and when such a time as IANA or the IETF takes action to
indicate that these are Reserved Domain Names, they would
still constitute Internal Server Names and thus not be
permissable to issue, the same as issuing a certificate for
foo.localhost would not be valid.<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Oct 22, 2014 at 6:40 PM,
Jeremy Rowley <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jeremy.rowley@digicert.com"
target="_blank">jeremy.rowley@digicert.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Any
thoughts from the browers on Peter's idea? Can CAs use
SANs options other than DNS Name for this type of
information? Do browsers use the other options?<br>
<span class="HOEnZb"><font color="#888888"><br>
Jeremy<br>
</font></span>
<div class="HOEnZb">
<div class="h5"><br>
-----Original Message-----<br>
From: <a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>]
On Behalf Of Jeremy Rowley<br>
Sent: Friday, October 17, 2014 8:21 AM<br>
To: Gervase Markham; Adam Langley<br>
Cc: Phillip Hallam-Baker; CABFPub<br>
Subject: Re: [cabfpub] .onion and .exit<br>
<br>
Adding Peter Bowen's comment to the discussion:<br>
<br>
What about using the uniformResourceIdentifier
option for subjectAlternativeName?<br>
<br>
The Baseline Requirements say "Each entry MUST be
either a dNSName containing the Fully-Qualified
Domain Name or an iPAddress containing the IP
address of a server", which would appear to rule
this out, but I'm not sure if that was the
intention. Do the BRs really mean to disallow
putting rfc822Name, directoryName, or other types of
names in the SAN?<br>
<br>
Thanks,<br>
Peter<br>
<br>
<br>
-----Original Message-----<br>
From: Gervase Markham [mailto:<a
moz-do-not-send="true"
href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>]<br>
Sent: Friday, October 17, 2014 3:18 AM<br>
To: Jeremy Rowley; Adam Langley<br>
Cc: Phillip Hallam-Baker; CABFPub<br>
Subject: Re: [cabfpub] .onion and .exit<br>
<br>
On 16/10/14 18:01, Jeremy Rowley wrote:<br>
> I asked a couple of companies who have
requested these types of certs<br>
> about this and here is one reason for wanting a
cert:<br>
<br>
It looks like the real issue here is proving
real-world ownership and control of .onion
addresses, either by tying them to an existing
real-world website (DV with multiple SANs) or an
identity (EV).<br>
<br>
In the EV case, the UI would show the tied identity,
but not in the DV case. Although the Tor Browser
Bundle could be updated to do something smart - if
there's a .onion address, instead show the DNS name
from the first non-onion SAN, or something.<br>
<br>
(You may remember a while back I suggested that
internal server name certs should have at least one
globally-resolvable name in, and that browsers
should display that instead, even if the internal
name was used. This is a similar idea.)<br>
<br>
Gerv<br>
_______________________________________________<br>
Public mailing list<br>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
_______________________________________________<br>
Public mailing list<br>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>