[cabfpub] Ballot .onion ballot

Gervase Markham gerv at mozilla.org
Thu Feb 5 14:26:39 UTC 2015


On 05/02/15 14:13, Erwann Abalea wrote:
> Even with this typo corrected, what is the rationale behind allowing 
> wildcard EV certificates for .onion domains while rejecting wildcards 
> for all other EV certs?
> 
> Why should "*.facebookcorewwwi.onion" be allowed and "*.facebook.com" 
> refused?

I'm not the person who argued for a restriction on *.facebook.com EV,
but the idea of no wildcard for EV, as I understand it, is that you then
get e.g. EV "*.blogspot.com" and the actual person controlling
fred.blogspot.com is not named in the EV cert fred.blogspot.com is
using, thereby defeating the point of EV as being about identity.

With .onion, there is a single private key (the one whose public
fingerprint is facebookcorewwwi, in the case of Facebook) and so the
idea of different mutually-untrusting entities owning and controlling
different parts of the subdomain space doesn't really make much sense.
So the above risk is not present.

Gerv



More information about the Public mailing list