[cabfpub] .onion proposal

Jeremy Rowley jeremy.rowley at digicert.com
Wed Nov 19 18:39:55 UTC 2014

There's a similar discussion on the Tor mailing list about this (a cryptographic binding between a non-Tor and Tor identity).  If you haven't checked over there, you might want to since it sounds like something that might happen later. 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Wednesday, November 19, 2014 10:07 AM
To: Brian Smith; Jeremy Rowley
Cc: public at cabforum.org
Subject: Re: [cabfpub] .onion proposal

On 13/11/14 01:34, Brian Smith wrote:
>> 2)      The CA MUST verify a non-onion domain name owned by the applicant
>> and assert that domain name in the same certificate as the .onion 
>> address
> I don't think that this should be required. It could have very 
> negative consequences.

It may not be required, but it should certainly be allowed. A strong cryptographic binding between a non-Tor and a Tor identity is an awesome thing, because a browser who encountered the cert on a non-Tor site would then know for certain how to connect over Tor in the future. In fact, it would be cool if someone specced out the right way of doing that.

Public mailing list
Public at cabforum.org

More information about the Public mailing list