[cabfpub] .onion proposal
Brian Smith
brian at briansmith.org
Mon Nov 17 23:07:14 MST 2014
On Mon, Nov 17, 2014 at 9:56 PM, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:
> It’s not a disservice if the Forum agrees to restrict onion issuance to the
> prescribed process, especially since we know onion is on route to an RFC as
> a reserved name.
I agree. The process for getting ".onion" reserved could take a while.
It is extremely unlikely that ".onion" will not become reserved. What
Jeremy is suggesting seems better than waiting for ".onion" to become
official reserved, because it would mean that forum members would stop
using the internal name exception for ".onion".
Perhaps, while the reservation for ".onion" is still pending, there
should be additional rules about the maximum lifetime and against
backdating for ".onion" certs. E.g. notBefore must be within 7 days of
the issuance date, and notAfter must be within a year of notBefore.
This way, we limit the badness that can occur if ".onion" ultimately
isn't reserved.
In fact, I think these two rules would be good rules for .onion, permanently.
Cheers,
Brian
More information about the Public
mailing list