[cabfpub] .onion proposal

Brian Smith brian at briansmith.org
Wed Nov 19 21:27:13 UTC 2014

On Wed, Nov 19, 2014 at 12:52 PM, Ryan Sleevi <sleevi at google.com> wrote:
> It's hardly a slap in the face - it's a recognition of the security risks of
> allowing .onion names to be a wild-west free for all with no vetting -
> meaning ANYONE can MITM / any CA can issue for
> https://facebookcorewwwi.onion/  without violating a single one of the BRs
> or any root policy.

Is it really necessary to revoke the facebookcorewwwi.onion
certificate? If no new certificates could be issued, then the
second-preimage resistance issue wouldn't be a problem for it, right?

The CAs and businesses that want .onion certificates should sit down
with (and probably fund) the developers of Tor to add support for
names with stronger second-preimage resistance, and present that plan
to CAB Forum, so that CAB Forum can make a reasonable decision about
how to make certificates for Tor hidden services work.


More information about the Public mailing list