[cabfpub] Ballot 144 -.onion domains

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Feb 12 13:45:45 MST 2015


Here are screen shots of the Facebook.com cert, if anyone hasn't seen it.   The .onion domains are in the second shot in the SANs field.

[cid:image001.png at 01D046C1.D1682440]

[cid:image002.png at 01D046C1.D1682440]

From: Kirk Hall (RD-US)
Sent: Thursday, February 12, 2015 12:44 PM
To: Jeremy Rowley (jeremy.rowley at digicert.com); Ben Wilson (Ben.Wilson at digicert.com)
Cc: CABFPub (public at cabforum.org)
Subject: Ballot 144 -.onion domains

Jeremy and Ben - sorry we didn't ask these questions last week, but I was travelling and didn't realize the comment period had begun.

(1) We are concerned that under  Ballot 144 there could be two .onion certs with the SAME domain but identifying two DIFFERENT subjects.

For example, Evil Corp. and Angel Corp. could each submit a request for a .onion cert and get the same domain: [same 16 digit hash of their public keys].onion if their public keys hash to the same value.  One cert would say O=Evil Corp. the other would say O=Angel Corp., so that a .onion domain would not be uniquely identified with one subject.  While unlikely, it could happen.

How does Tor resolve this if the same .onion domain is assigned to multiple, different subjects?  If someone types in [16 digit hash].onion and that could lead to multiple Tor locations, how does Tor decide where to direct the user?

(2)  Does this also create an opportunity for a hacker?  For example, one of the .onion domains in the SANs field of the Facebook cert you created is *.xx.fbcdn23dssr3jqnq.onion - could a hacker create a public key that would hash to the same value in order to get a cert with the same .onion domain and imitate the Facebook cert?  (This is maybe the more serious case.)

(3) Another concern is there is no central registry to identify the owner of a .onion domain (of course, there could be multiple owners of the domain under the scenario above).  If there is no Subject info in the O field, etc., with no registry there is no real way to contact the domain (or cert owner).

Any information you can provide on these point will be very helpful.



<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150212/2e69ba75/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 49635 bytes
Desc: image001.png
Url : https://cabforum.org/pipermail/public/attachments/20150212/2e69ba75/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 51544 bytes
Desc: image002.png
Url : https://cabforum.org/pipermail/public/attachments/20150212/2e69ba75/attachment-0003.png 


More information about the Public mailing list