[cabfpub] .onion proposal

Gervase Markham gerv at mozilla.org
Wed Nov 19 17:10:38 UTC 2014

On 12/11/14 20:51, Jeremy Rowley wrote:
> I’d like to continue the .onion discussion that I started here about a
> month ago.  Primarily, I’d like to see how we can create a very limited
> exception to the general prohibition on internal name certificates that
> will take effect in 2015 for the purpose of permitting the CA community
> to  show support for both Tor and entities operating .onion names.

I'm in support of this in principle. There are two issues with 'normal'
internal server names:

1) It's not possible to prove exclusive ownership of them (because they
   aren't exclusively owned);

2) Their chosen "TLD" might clash with something in the IANA root
   zone database, now and in the future.

For 'normal' internal server names, those two problems are linked, but
we should consider them separately.

For .onion names, problem 1) does not apply. There are various ways the
owner of a .onion name can prove exclusive use - and working out the
best ways to do something like that is what the CAB Forum is _for_.

For .onion names, problem 2) applies to a limited extent. People do not
have free choice of TLD - there's only one, .onion. So the potential for
clashes is much reduced. .onion is on track to be reserved, although
that process takes time. And if ICANN were to consider delegating it as
a "new gTLD" before that process completed, there would be a) a big
fuss, and b) lots of technical reasons why the new owner would have
problems. And really, who would want it? The Northwest Nebraska Onion
Growers Association?

So we can either have certs with .onion names issued until November,
then stop for a while, then start again when it's reserved. Or, we can
do something a bit more sensible. I'm up for working out what that might be.


More information about the Public mailing list