[cabfpub] Ballot 144 -.onion domains

Jeremy Rowley jeremy.rowley at digicert.com
Fri Feb 13 01:43:22 UTC 2015

#5 in the ballot: 
5.    CAs MUST NOT issue a Certificate that includes a Domain Name where .onion is in the right-most label of the Domain Name with a validity period longer than 15 months. Despite Section 9.2.1 of the Baseline Requirements deprecating the use of Internal Names, a CA MAY issue a Certificate containing an .onion name with an expiration date later than 1 November 2015 after (and only if) .onion is officially recognized by the IESG as a reserved TLD.  

-----Original Message-----
From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Thursday, February 12, 2015 6:18 PM
To: Jeremy Rowley
Cc: kirk_hall at trendmicro.com; CABFPub; Ben Wilson
Subject: Re: [cabfpub] Ballot 144 -.onion domains

On Thu, Feb 12, 2015 at 5:14 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> One caveat is that another ballot is not required if the IESG 
> officially recognizes .onion a reserved name.

Yes it does.

Per BR 1.2.3
Internal Name: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA’s Root Zone Database.

An IESG reservation would not result in it being added to the IANA Root Zone Database. You can see this is already the case for RFC 6761 names not being present in the Root Zone Database at [1]

[1] https://www.iana.org/domains/root/files

More information about the Public mailing list