[cabfpub] Ballot .onion ballot

Erwann Abalea erwann.abalea at opentrust.com
Thu Feb 5 10:05:01 UTC 2015


Le 04/02/2015 22:19, Jeremy Rowley a écrit :

> Amend the Guidelines for the Issuance and Management of Extended 
> Validation Certificates v1.5.2 as follows:
> Amend Section 9.2.2 and 11.7.1 as follows:
> 9.2.2. Subject Alternative Name Extension Certificate field: 
> subjectAltName:dNSName
> Required/Optional: Required
> Contents: This extension MUST contain one or more host Domain Name(s) 
> owned or controlled by the Subject and to be associated with the 
> Subject's server. Such server MAY be owned and operated by the Subject 
> or another entity (e.g., a hosting service). Wildcard certificates are 
> not allowed for EV Certificates_except as permitted under Appendix F_.

So an EV certificate can't be a wildcard one, except under some new 
conditions, applicable only to .onion names. Not a small change.


> Add a new Appendix F:
> Appendix F -- Issuance of Certificates for .onion Domain Names


> 4. Each Certificate that includes a Domain Name where .onion is in the 
> right-most label of the Domain Name MUST conform to the requirements 
> of these Guidelines, including the content requirements in Section 9 
> and Appendix B of the Baseline Requirements, except that the CA MAY 
> include a wildcard character in the Subject Alternative Name Extension 
> and Subject Common Name Field as the right-most character in the 
> .onion Domain Name provided inclusion of the wildcard character 
> complies with Section 11.1.3 of the Baseline Requirements.

What does that mean?
is <prefix>*.onion accepted?
is *.onion accepted?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150205/10153613/attachment-0003.html>

More information about the Public mailing list