[cabfpub] Ballot .onion ballot

Gervase Markham gerv at mozilla.org
Thu Feb 5 14:26:39 UTC 2015

On 05/02/15 14:13, Erwann Abalea wrote:
> Even with this typo corrected, what is the rationale behind allowing 
> wildcard EV certificates for .onion domains while rejecting wildcards 
> for all other EV certs?
> Why should "*.facebookcorewwwi.onion" be allowed and "*.facebook.com" 
> refused?

I'm not the person who argued for a restriction on *.facebook.com EV,
but the idea of no wildcard for EV, as I understand it, is that you then
get e.g. EV "*.blogspot.com" and the actual person controlling
fred.blogspot.com is not named in the EV cert fred.blogspot.com is
using, thereby defeating the point of EV as being about identity.

With .onion, there is a single private key (the one whose public
fingerprint is facebookcorewwwi, in the case of Facebook) and so the
idea of different mutually-untrusting entities owning and controlling
different parts of the subdomain space doesn't really make much sense.
So the above risk is not present.


More information about the Public mailing list