[cabfpub] DV issuance for next-generation onion services
Seth David Schoen
schoen at eff.org
Tue Nov 7 01:27:02 UTC 2017
Ryan Sleevi writes:
> On Mon, Nov 6, 2017 at 8:56 AM, Fotis Loukos <fotisl at ssl.com> wrote:
> > I agree with Seth Schoen's proposal for using 3.2.2.4.6, 3.2.2.4.9 and
> > 3.2.2.4.10 since these methods prove control of the web server serving
> > the content. I would also like to suggest adding a tor specific method
> > that proves possession of the private key corresponding to the NG .onion
> > address, such as b from EV SSL guidelines appendix F.
>
> Indeed; it seems structurally better to avoid introducing additional
> dependencies (e.g. a proper functioning Tor implementation), and the EVG's
> method of proof of possession provides such a strong guarantee without
> supplemental dependency.
I think I agree in principle with re-using this method, but the definition
of the method currently contains at least EV-specific concept, the
Verified Method of Communication ("[a] caSigningNonce attribute that
[...] [is] delivered to the Applicant through a Verified Method of
Communication"), so it would require some adjustment to be relevant to
DV issuance. One option is simply to remove 2(b)(i)(3) for DV issuance
purposes.
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
More information about the Public
mailing list