[cabfpub] Revised .onion proposal

Gervase Markham gerv at mozilla.org
Fri Jan 9 10:51:50 UTC 2015

On 08/01/15 21:50, Jeremy Rowley wrote:
>> the CA SHALL confirm that, as of the date the Certificate was
>> issued, the Applicant (or the Applicant’s Parent Company,
>> Subsidiary Company, or Affiliate, collectively referred to as
>> “Applicant” for the purposes of this section) either is the Domain
>> Name Registrant or has control over the FQDN using a procedure
>> specified in Section 11.1.1 of the Baseline Requirements, except
>> that a CA MAY NOT verify a domain using the procedure described
>> 11.1.1(7).
> Hang on; doesn't Appendix F give the list of permitted methods? How
> do section 11.1.1 and the list in Appendix F relate? [JR] They don't.
> I'll add a small amendment to 11.1.1 saying that .onion names should
> be verified in accordance with Appendix F rather than 11.1.1.

Well, surely it would be better to _not_ say "using a procedure
specified in Section 11.1.1" here? :-)

> Is it possible to have multiple ones of these per cert? That needs to
> be necessary for transitioning to new hash algorithms. 
> [JR] Why do
> you need more than one per cert?  You can always provide another cert
> with a separate hash.  I'm not opposed but that seems unnecessary
> since the browsers won't be using this info (unless Mozilla has plans
> to use it?).

The Tor folks would need to chip in, but with my limited understanding I
can see value in comparing the TorServiceDescriptorHash with the hash of
the actual service descriptor, at least in the Tor browser.

More generally, I've come across several situations (e.g. OCSP!) where
someone says "hey, we'd only ever need one of these" and it turned out
to be wrong. Algorithm agility is important; if it's not complex to
allow multiple hashes with different algos in the standard, we should do it.

>> a.      The CA MAY verify the Applicant’s control over the .onion 
>> service by posting a specific value at a well-known URL under
>> RFC5785. [NOTE: This is subject to change depending on whether we
>> can register a well-known URL for onion]
> Are you planning to resolve this before we vote on a motion? [JR] No
> - it's being worked on.  Adoption will help drive it forward.

So what do you expect this part of the text to actually say in the
motion as voted? Presumably it won't read exactly as above.


More information about the Public mailing list