[cabfpub] .onion proposal
Tom Ritter
tom at ritter.vg
Wed Dec 3 02:54:23 UTC 2014
Thanks Jeremy! I'm working with Tor to try and advance this effort on
a few different technical and policy fronts, and I think this is a
good path forward.
On 1 December 2014 at 18:18, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> b. The CA MAY verify the Applicant's control over the .onion service by
> signing a Certificate Request using the .onion public key if (i) the
> signature contains a random value chosen by the CA that prevents a
> fraudulent applicant from obtaining the signed statement within the
> signature { 2.23.140.1.41 } and (ii) the signature contains a random value
> chosen by the Applicant that prevents the CA from choosing the entire
> contents of the signed statement { 2.23.140.1.42 }. Each
> nonce/counter-nonce MUST have at least 64-bits of entropy and MUST be
> presented as an OCTET STRING in the appropriate extension (specified above)
> in the Attributes section of the certificationRequestInfo.
I've started a thread on tor-dev that discusses ways to safely do
this: https://lists.torproject.org/pipermail/tor-dev/2014-November/007853.html
(and https://lists.torproject.org/pipermail/tor-dev/2014-December/007901.html
). I need to update the specification I sent in the first email with
Nick and Ian's thoughts in the second link - but the effort to define
a safe way to do this (because of the key reusage Ryan brought up) is
underway.
-tom
More information about the Public
mailing list