[cabfpub] .onion and .exit

[Ryan Sleevi]

The BRs are clear in Section 9.2.1 that putting values other than dNSName
and iPAdress in a SAN are PROHIBITED. It states very clearly that the
entries of this type MUST be of these two forms.

This is because the BRs describe precisely how to validate these
information fields. Other field types, such as URI or rfc822name, are NOT
described for how to validate in the BRs, and thus are prohibited (as part
of the general restrictions of the BRs to prohibit any unvalidated
information / any information that's not consistently validated).

Similarly, per Section 9.2.1, the names .onion and .exit constitute
Internal Server Names, and are thus deprecated and STRONGLY discouraged. We
would not support any CA issuing for such names.

If and when such a time as IANA or the IETF takes action to indicate that
these are Reserved Domain Names, they would still constitute Internal
Server Names and thus not be permissable to issue, the same as issuing a
certificate for foo.localhost would not be valid.

On Wed, Oct 22, 2014 at 6:40 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Any thoughts from the browers on Peter's idea?  Can CAs use SANs options
> other than DNS Name for this type of information? Do browsers use the other
> options?
>
> Jeremy
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Jeremy Rowley
> Sent: Friday, October 17, 2014 8:21 AM
> To: Gervase Markham; Adam Langley
> Cc: Phillip Hallam-Baker; CABFPub
> Subject: Re: [cabfpub] .onion and .exit
>
> Adding Peter Bowen's comment to the discussion:
>
> What about using the uniformResourceIdentifier option for
> subjectAlternativeName?
>
> The Baseline Requirements say "Each entry MUST be either a dNSName
> containing the Fully-Qualified Domain Name or an iPAddress containing the
> IP address of a server", which would appear to rule this out, but I'm not
> sure if that was the intention.  Do the BRs really mean to disallow putting
> rfc822Name, directoryName, or other types of names in the SAN?
>
> Thanks,
> Peter
>
>
> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Friday, October 17, 2014 3:18 AM
> To: Jeremy Rowley; Adam Langley
> Cc: Phillip Hallam-Baker; CABFPub
> Subject: Re: [cabfpub] .onion and .exit
>
> On 16/10/14 18:01, Jeremy Rowley wrote:
> > I asked a couple of companies who have requested these types of certs
> > about this and here is one reason for wanting a cert:
>
> It looks like the real issue here is proving real-world ownership and
> control of .onion addresses, either by tying them to an existing real-world
> website (DV with multiple SANs) or an identity (EV).
>
> In the EV case, the UI would show the tied identity, but not in the DV
> case. Although the Tor Browser Bundle could be updated to do something
> smart - if there's a .onion address, instead show the DNS name from the
> first non-onion SAN, or something.
>
> (You may remember a while back I suggested that internal server name certs
> should have at least one globally-resolvable name in, and that browsers
> should display that instead, even if the internal name was used. This is a
> similar idea.)
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141023/281b9bbd/attachment.html