[cabfpub] Ballot .onion ballot
Erwann Abalea
erwann.abalea at opentrust.com
Thu Feb 5 03:05:01 MST 2015
Bonjour,
Le 04/02/2015 22:19, Jeremy Rowley a écrit :
[...]
> Amend the Guidelines for the Issuance and Management of Extended
> Validation Certificates v1.5.2 as follows:
>
> Amend Section 9.2.2 and 11.7.1 as follows:
>
> 9.2.2. Subject Alternative Name Extension Certificate field:
> subjectAltName:dNSName
>
> Required/Optional: Required
>
> Contents: This extension MUST contain one or more host Domain Name(s)
> owned or controlled by the Subject and to be associated with the
> Subject's server. Such server MAY be owned and operated by the Subject
> or another entity (e.g., a hosting service). Wildcard certificates are
> not allowed for EV Certificates_except as permitted under Appendix F_.
>
So an EV certificate can't be a wildcard one, except under some new
conditions, applicable only to .onion names. Not a small change.
[...]
> Add a new Appendix F:
>
> Appendix F -- Issuance of Certificates for .onion Domain Names
>
[...]
> 4. Each Certificate that includes a Domain Name where .onion is in the
> right-most label of the Domain Name MUST conform to the requirements
> of these Guidelines, including the content requirements in Section 9
> and Appendix B of the Baseline Requirements, except that the CA MAY
> include a wildcard character in the Subject Alternative Name Extension
> and Subject Common Name Field as the right-most character in the
> .onion Domain Name provided inclusion of the wildcard character
> complies with Section 11.1.3 of the Baseline Requirements.
>
What does that mean?
is <prefix>*.onion accepted?
is *.onion accepted?
--
Erwann ABALEA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150205/10153613/attachment.html
More information about the Public
mailing list