[cabfpub] .onion proposal

Jeremy Rowley jeremy.rowley at digicert.com
Wed Nov 19 20:48:18 UTC 2014

Well, Nov 1 2016 is the date that the certs should be revoked. Nov 2015 is the date of no more issuance.

I’m not really interested in ceasing all support for Tor.  Having a special cut-off for onion seems like a slap in the face to their browser after they posted their support for the project, especially since Google doesn’t use .onion names.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Wednesday, November 19, 2014 1:45 PM
To: Jeremy Rowley
Cc: Brian Smith; Gervase Markham; public at cabforum.org
Subject: Re: [cabfpub] .onion proposal

On Wed, Nov 19, 2014 at 12:36 PM, Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>> wrote:
How do you address this concern other than by modifying the way the onion names are assigned? I guess either not permit conflicting services by only routing to the service with the oldest identified service (instead of evicting the old service) or having Tor move to a SHA-2 hash.  I know Tor is looking at the issue and will likely have more insight they can share.

While a solution is in flux, the Forum should still have validation rules in place for onion that last until 2016 (the revocation date of all internal names) so that current certs undergo a set process for issuance rather than issue as internal names.


You mean 1 November 2015. That's been the date that no BR-conforming CA is allowed to set the expiration date past. (9.2.1 of BR 1.2.2)

PROPOSAL: Effectively immediately, CAs MUST NOT issue certificates for the .onion TLD and MUST revoke all certificates issued for the .onion TLD

Then we work out a proposal to set up rules for validating .onion names, which may or may not be blocked on Tor work at the protocol or browser level, and also work - with the broader Tor community - to see if there is any interim steps that can be accepted.

-----Original Message-----
From: Brian Smith [mailto:brian at briansmith.org<mailto:brian at briansmith.org>]
Sent: Wednesday, November 19, 2014 1:26 PM
To: Gervase Markham
Cc: Jeremy Rowley; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] .onion proposal
Gervase Markham <gerv at mozilla.org<mailto:gerv at mozilla.org>> wrote:
> I'm in support of this in principle. There are two issues with 'normal'
> internal server names:
> 1) It's not possible to prove exclusive ownership of them (because they
>    aren't exclusively owned);


> For .onion names, problem 1) does not apply.

That is only true assuming you can rely on the second-preimage resistance of truncated SHA-1, like Ryan pointed out. I think his point is that the second-preimage resistance of truncated SHA-1 is not strong enough to make claims like this. (Ryan: Sorry if I'm misunderstanding you. Corrections appreciated.) I think that concern should be addressed. This is one reason I suggested to limit the maximum lifetime of .onion certificates.

Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141119/7825920f/attachment-0003.html>

More information about the Public mailing list