<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.im
{mso-style-name:im;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks Ryan! I’ll get it updated. I appreciate the endorsement.<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Sent:</b> Tuesday, December 9, 2014 4:16 PM<br>
<b>To:</b> Jeremy Rowley<br>
<b>Cc:</b> Tom Ritter; public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] .onion proposal<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi Jeremy,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I believe you mean for (b) that it was "signing a Certificate Request using the .onion private key"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think the wording for b. could be improved by being a bit more explicit on those OID values and how they're encoded in the CSR, but I consider that more editorial work than anything. That is, something like (and here I'm being lazy and
not fully fleshing out the proposal, just the structure)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">b. The CA MAY verify the Applicant's control over the .onion service by having the Applicant provide a Certificate Signing Request signed the the .onion private key if the Attributes section of the certificationRequestInfo contains:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> i) A [someNameHere] attribute which contains a single value that contains at least 64-bits of entropy, generated by the CA and delivered to the Applicant out-of-band<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> ii) A [someOtherNameHere] attribute which contains a single value that contains at least 64-bits of entropy, generated by the Applicant<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">cabf-someIdHere ID ::= { someIdHere }<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">cabf-someOtherIdHere ID ::= { someOtherIdHere }<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">someNameHere ATTRIBUTE ::= {<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> WITH SYNTAX OCTET STRING,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> ID cabf-someIdHere<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">}<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">someOtherNameHere ATTRIBUTE ::= {<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> WITH SYNTAX OCTET STRING,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> ID cabf-someOtherIdHere<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">}<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The reason I suggest rewording is to address a couple ambiguities in the current proposal:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1) It's not clear that { 2.23.140.1.41 } is the OID (or at least not called out as such)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2) You don't mention until the end that it appears in the Attributes section. Since you're enumerating multiple attributes, it helps to place that statement first, then enumerate each of the attributes that must be present<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3) Note that ASN.1 is awful for the uninitiated (and I consider myself among them). Above is possibly a misreading of the X.501 module and the X.683 syntax, but I've made a good stab at it. I suspect Tom has some contacts who can check
my awful ASN.1 1998, if not some of the members here.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">A point with 3 is that the current language may leave some ambiguity. An RFC 2986 Attribute is a type identified by an OID, whose value is a SET of 1...MAX of the internal type. The SET type for each of the OIDs MUST only include a single
value, but I'm not sure how to express that. The ASN.1 definitions in RFC 2986 ignore the single-valued attribute of the ATTRIBUTE type from X.501, so I've just left it to prose.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For example, it'd be non-conforming to have this proposal be interpreted as encouraging violating RFC 2986, where instead of a SEQUENCE { OBJECT IDENTIFIER id, SET OF Types }, it's instead a SEQUENCE { OBJECT IDENTIFIER id, OCTET STRING
}.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">(Yes, this means that the RFC 2986 syntax is more limiting than the RFC 5280 syntax. Oh well).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Feel free to smith at will, but those were the concerns.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think we'd be happy to endorse with a few fixes to the above issues, however you see fit.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Dec 8, 2014 at 9:33 AM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal" style="margin-bottom:12.0pt">Thanks Tom! Does anyone else have comments? If not, do I have someone willing to endorse?<br>
<br>
<span class="im">-----Original Message-----</span><br>
<span class="im">From: Tom Ritter [mailto:<a href="mailto:tom@ritter.vg">tom@ritter.vg</a>]</span><br>
<span class="im">Sent: Tuesday, December 2, 2014 7:54 PM</span><br>
<span class="im">To: Jeremy Rowley</span><br>
<span class="im">Cc: <a href="mailto:public@cabforum.org">public@cabforum.org</a></span><br>
<span class="im">Subject: Re: [cabfpub] .onion proposal</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Thanks Jeremy! I'm working with Tor to try and advance this effort on a few different technical and policy fronts, and I think this is a good path forward.<br>
<br>
On 1 December 2014 at 18:18, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>> wrote:<br>
> b. The CA MAY verify the Applicant's control over the .onion service by<br>
> signing a Certificate Request using the .onion public key if (i) the<br>
> signature contains a random value chosen by the CA that prevents a<br>
> fraudulent applicant from obtaining the signed statement within the<br>
> signature { 2.23.140.1.41 } and (ii) the signature contains a random<br>
> value chosen by the Applicant that prevents the CA from choosing the<br>
> entire contents of the signed statement { 2.23.140.1.42 }. Each<br>
> nonce/counter-nonce MUST have at least 64-bits of entropy and MUST be<br>
> presented as an OCTET STRING in the appropriate extension (specified<br>
> above) in the Attributes section of the certificationRequestInfo.<br>
<br>
I've started a thread on tor-dev that discusses ways to safely do<br>
this: <a href="https://lists.torproject.org/pipermail/tor-dev/2014-November/007853.html" target="_blank">
https://lists.torproject.org/pipermail/tor-dev/2014-November/007853.html</a><br>
(and <a href="https://lists.torproject.org/pipermail/tor-dev/2014-December/007901.html" target="_blank">
https://lists.torproject.org/pipermail/tor-dev/2014-December/007901.html</a><br>
). I need to update the specification I sent in the first email with Nick and Ian's thoughts in the second link - but the effort to define a safe way to do this (because of the key reusage Ryan brought up) is underway.<br>
<br>
-tom<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</body>
</html>