[cabfpub] .onion proposal

Geoff Keating geoffk at apple.com
Wed Nov 12 22:57:35 UTC 2014

On 12 Nov 2014, at 12:51 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:

> Hi everyone,
> I’d like to continue the .onion discussion that I started here about a month ago.  Primarily, I’d like to see how we can create a very limited exception to the general prohibition on internal name certificates that will take effect in 2015 for the purpose of permitting the CA community to  show support for both Tor and entities operating .onion names.  Here’s what I propose as issuance requirements:
> 1)      The CA MUST verify the applicant for an EV Certificate
> 2)      The CA MUST verify a non-onion domain name owned by the applicant and assert that domain name in the same certificate as the .onion address
> 3)      The CA MUST verify  the applicant’s control over the .onion name using a practical demonstration of control that is verifiable through the Tor browser
> Obviously, if supported, I’d need revise the language to fit with the BR/EV framework  before a vote is possible.  However, I think this is general framework is a good starting point for continued discussion and hope it will help us find a solution that everyone agrees with.
> To facilitate the discussion moving forward, here is summary of the previous discussion:
> 1)      Although not delegated by IANA, .onion is recognized by Tor as an address used to provide anonymous services
> 2)      Tor uses its own encryption so the certificates are about identification
> 3)      .onion addresses are generated from the service provider’s key, meaning they are unique (you don’t choose the onion address)
> 4)      A certificate would permit service providers to remove their anonymity while preserving the anonymity of their clients 
> 5)      Continued use of certs for .onion is important for companies like Facebook who would like to facilitate free speech in countries that do not necessarily recognize that as a fundamental right
> Any thoughts on this?

What's the reason not to get .onion reserved (not 'delegated'---no DNS entry for it is necessary or appropriate) at IANA?  The procedure for this is documented in RFC 6761.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141112/6372c6ff/attachment-0001.p7s>

More information about the Public mailing list