[cabfpub] .onion and .exit

Jeremy Rowley jeremy.rowley at digicert.com
Tue Oct 14 16:29:42 UTC 2014

Yeah - we specified IANA. I can see the point in providing certs.  I think Tor uses NSS for its roots, and I know there has been use of bogus digital certificates to spy on the network. 

From the BRs:

Internal Name: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of 
a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance 
because it does not end with a Top Level Domain registered in IANA’s Root Zone Database

-----Original Message-----
From: hallam at gmail.com [mailto:hallam at gmail.com] On Behalf Of Phillip Hallam-Baker
Sent: Tuesday, October 14, 2014 10:21 AM
To: Jeremy Rowley
Subject: Re: [cabfpub] .onion and .exit

On Tue, Oct 14, 2014 at 12:15 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> Right now the CAB Forum guidelines treat .onion and .exit as internal 
> names, despite them being understandable and unique addresses in Tor.  
> I’m wondering whether CAs should support issuance of certs to these 
> names if the server operator can demonstrate control over the service. 
> Right now, issuance of these certs will be prohibited next year since 
> the definition of internal names is basically anything not registered 
> by IANA. Is there any interest in creating an exception for these anonymous services?

Did we really specify IANA or ICANN? I was pretty sure we were avoiding that.

That said, I don't see the point of issuing certificates for an anonymizing network.

More information about the Public mailing list