[cabfpub] .onion proposal

Jeremy Rowley jeremy.rowley at digicert.com
Tue Nov 18 06:12:19 UTC 2014

Sure - I'm good with that.  

-----Original Message-----
From: Brian Smith [mailto:brian at briansmith.org] 
Sent: Monday, November 17, 2014 11:07 PM
To: Jeremy Rowley
Cc: Ryan Sleevi; CABFPub
Subject: Re: [cabfpub] .onion proposal

On Mon, Nov 17, 2014 at 9:56 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> It’s not a disservice if the Forum agrees to restrict onion issuance 
> to the prescribed process, especially since we know onion is on route 
> to an RFC as a reserved name.

I agree. The process for getting ".onion" reserved could take a while.
It is extremely unlikely that ".onion" will not become reserved. What Jeremy is suggesting seems better than waiting for ".onion" to become official reserved, because it would mean that forum members would stop using the internal name exception for ".onion".

Perhaps, while the reservation for ".onion" is still pending, there should be additional rules about the maximum lifetime and against backdating for ".onion" certs. E.g. notBefore must be within 7 days of the issuance date, and notAfter must be within a year of notBefore.
This way, we limit the badness that can occur if ".onion" ultimately isn't reserved.

In fact, I think these two rules would be good rules for .onion, permanently.


More information about the Public mailing list