[cabfpub] Pre-Ballot 201 - .Onion Revisions

Ben Wilson ben.wilson at digicert.com
Wed May 17 21:31:37 UTC 2017


If Jeremy, Ryan, and Erwann are agreeable, here is a draft re-ballot of
Ballot 198.

Ballot 201 - .Onion Revisions 

This ballot is meant to cure any potential problems with Ballot 198, which
may have been invalid due to ambiguities in what was presented to the Forum
for vote. This Ballot 201 attempts to clarify Appendix F of the EV
Guidelines concerning the Tor Service Descriptor Hash extension and that
inclusion of the extension in the TBSCertificate is required. 

The following motion has been proposed by Jeremy Rowley of DigiCert and
endorsed by Ryan Sleevi of Google and Erwann Abalea of DocuSign France to
introduce new Final Maintenance Guidelines for the "Guidelines for the
Issuance and Management of Extended Validation Certificates" (EV
Guidelines). 

-- MOTION BEGINS -- 

Revise Appendix F, Section 1 to read as follows: 

Appendix F - Issuance of Certificates for .onion Domain Names 

A CA may issue an EV Certificate with .onion in the right-most label of the
Domain Name provided that issuance complies with the requirements set forth
in this Appendix: 

1. CAB Forum Tor Service Descriptor Hash extension (2.23.140.1.31) 

The CA MUST include the CAB Forum Tor Service Descriptor Hash extension in
the TBSCertificate to convey hashes of keys related to .onion addresses. The
CA MUST include the Tor Service Descriptor Hash extension using the
following format: 

cabf-TorServiceDescriptorHash OBJECT IDENTIFIER ::= { 2.23.140.1.31 } 

SEQUENCE ( 1..MAX ) of TorServiceDescriptorHash

TorServiceDescriptorHash:: = SEQUENCE { 

onionURI                            UTF8String 

algorithm                           AlgorithmIdentifier 

subjectPublicKeyHash    BIT STRING 

} 

Where the AlgorithmIdentifier is a hashing algorithm (defined in RFC 6234)
performed over the DER-encoding of an ASN.1 SubjectPublicKey of the .onion
service and SubjectPublicKeyHash is the hash output. 

--Motion Ends-- 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170517/2b79794e/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pre-Ballot-201-Appendix F.pdf
Type: application/pdf
Size: 100568 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170517/2b79794e/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170517/2b79794e/attachment.p7s>


More information about the Public mailing list