[cabfpub] .onion and .exit

Adam Langley agl at google.com
Thu Oct 16 17:58:07 UTC 2014

On Thu, Oct 16, 2014 at 10:42 AM, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:
> I think it makes sense in even a DV concept.  A user seeing that the cert has the .onion address as well as the .com address receives some assurance that both are controlled by the same entity.  If the user can accept google.com as solely controlled by Google, they have some verification under the BRs that the domains in the same certificate are also controlled by that entity.
> Granted, EV provides a higher level of assurance, but there is still assurances of control provided by DV and OV.  The goal is to remove anonymity for the service provider while sill giving the user the same anonymity benefits provided by the .onion addresses.

I give a very low weighting to the idea that putting two names in the
same certificate is useful because it requires that users dig around
in certificates and look at the SAN values. Also, it's quite common
that such a guideline goes wrong: hosting providers might have dozens
of site names in the same certificate but those sites aren't all run
by the same entity -- they are only served by the same entity.

But an EV certificate for a .onion doesn't seem inherently daft. I
still think that the Tor project should be invited to voice their
opinion however. I'll go point some people at this thread.



More information about the Public mailing list