[cabfpub] .onion proposal

Gervase Markham gerv at mozilla.org
Wed Nov 19 17:06:35 UTC 2014

On 13/11/14 01:34, Brian Smith wrote:
>> 2)      The CA MUST verify a non-onion domain name owned by the applicant
>> and assert that domain name in the same certificate as the .onion address
> I don't think that this should be required. It could have very
> negative consequences. 

It may not be required, but it should certainly be allowed. A strong
cryptographic binding between a non-Tor and a Tor identity is an awesome
thing, because a browser who encountered the cert on a non-Tor site
would then know for certain how to connect over Tor in the future. In
fact, it would be cool if someone specced out the right way of doing that.


More information about the Public mailing list