[cabfpub] DV issuance for next-generation onion services

Peter Bowen pzb at amzn.com
Fri Nov 3 16:40:55 UTC 2017

> On Nov 3, 2017, at 9:31 AM, Seth David Schoen via Public <public at cabforum.org> wrote:
> Gervase Markham writes:
>> I think you make a good case. We would need to specify carefully which
>> validation methods make sense but other than that, I agree that the
>> cryptographic improvements in NG names make the EV requirement
>> superfluous, and that DV should be permitted.
> That leaves only the three methods based on connecting to the site itself:
> Agreed‐Upon Change to Website
> Test Certificate
> TLS Using a Random Number
> It's possible to imagine creating a new validation method based on
> properties of the onion site protocol itself (e.g., ability to sign
> a challenge with the onion key, or ability to sign a challenge with a
> key signed with the onion key).  Right now, my intuition is that this
> would add a lot of extra complexity for minimal benefit, so I wouldn't
> advocate any onion-specific validation methods.


I’m honestly not a big fan of being limited to these three methods — they all are methods which have be completed by someone with access to the “backend” server but not necessarily the onion proxy.  What options might exist for validation that are closer to the DNS validation method for Internet names?  How could a CA confirm that they onion name “owner” has approved the request?


More information about the Public mailing list