[cabfpub] Pre-Ballot 201 - .Onion Revisions

Ryan Sleevi sleevi at google.com
Wed May 24 14:16:15 UTC 2017

Apologies Ben, I somehow missed this message.

Thanks for your hard work on doing this. Happy to endorse, with one request.

----- MOTION BEGINS -----
Part 1:
The CA/Browser Forum, recognizing that Ballot 198 did not include a redline
version against the current Final Maintenance Guidelines, thereby
constitutes an invalid Ballot. As a consequence, the Forum agrees that the
changes shall not be made to the appropriate Final Maintenance Guideline,
and as such, no IP Review Notice is in force for Ballot 198:

Part 2:
(As written)
----- MOTION ENDS -----

That seems to be the most consistent interpretation based on the thread,
and the best way to move forward.

On Wed, May 17, 2017 at 5:31 PM, Ben Wilson via Public <public at cabforum.org>

> *If Jeremy, Ryan, and Erwann are agreeable, here is a draft re-ballot of
> Ballot 198.*
> *Ballot 201 - .Onion Revisions*
> This ballot is meant to cure any potential problems with Ballot 198, which
> may have been invalid due to ambiguities in what was presented to the Forum
> for vote. This Ballot 201 attempts to clarify Appendix F of the EV
> Guidelines concerning the Tor Service Descriptor Hash extension and that
> inclusion of the extension in the TBSCertificate is required.
> The following motion has been proposed by Jeremy Rowley of DigiCert and
> endorsed by Ryan Sleevi of Google and Erwann Abalea of DocuSign France to
> introduce new Final Maintenance Guidelines for the "Guidelines for the
> Issuance and Management of Extended Validation Certificates" (EV
> Guidelines).
> Revise Appendix F, Section 1 to read as follows:
> Appendix F – Issuance of Certificates for .onion Domain Names
> A CA may issue an EV Certificate with .onion in the right-most label of
> the Domain Name provided that issuance complies with the requirements set
> forth in this Appendix:
> 1. CAB Forum Tor Service Descriptor Hash extension (
> The CA MUST include the CAB Forum Tor Service Descriptor Hash extension in
> the TBSCertificate to convey hashes of keys related to .onion addresses.
> The CA MUST include the Tor Service Descriptor Hash extension using the
> following format:
> cabf-TorServiceDescriptorHash OBJECT IDENTIFIER ::= { }
> SEQUENCE ( 1..MAX ) of TorServiceDescriptorHash
> TorServiceDescriptorHash:: = SEQUENCE {
> onionURI                            UTF8String
> algorithm                           AlgorithmIdentifier
> subjectPublicKeyHash    BIT STRING
> }
> Where the AlgorithmIdentifier is a hashing algorithm (defined in RFC 6234)
> performed over the DER-encoding of an ASN.1 SubjectPublicKey of the .onion
> service and SubjectPublicKeyHash is the hash output.
> --Motion Ends--
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170524/3e632be7/attachment-0003.html>

More information about the Public mailing list