[Servercert-wg] Voting Begins: Ballot SC27v3: Version 3 Onion Certificates

Christopher Kemmerer chris at ssl.com
Thu Feb 13 12:40:47 MST 2020


SSL.com votes YES on SC27v3.

- csk

On 2/12/2020 2:00 PM, Wayne Thayer via Servercert-wg wrote:
> This begins the voting period for Version 3 of ballot SC27: Version 3 
> Onion Certificates
>
> Purpose of Ballot:
>
> This ballot will permit CAs to issue DV and OV certificates containing 
> Tor onion addresses using the newer version 3 naming format.
>
> In ballot 144, later clarified by ballots 198/201, the Forum created 
> rules for issuing EV certificates containing onion addresses. A 
> primary reason for requiring EV level validation was that onion 
> addresses were cryptographically weak, relying on RSA-1024 and SHA-1. 
> More recently a newer "version 3" addressing scheme has removed these 
> weaknesses. For much the same reason that EV certificates are not 
> always a viable option for website operators (e.g. sites operated by 
> individuals), many onion sites would benefit from the availability of 
> DV and OV certificates for version 3 onion addresses.
>
> The Tor Service Descriptor Hash extension required in the EV 
> Guidelines to contain the full hash of the keys related to the .onion 
> address is no longer needed as this hash is part of the version 3 address.
>
> Older version 2 onion addresses are still in use, so this ballot does 
> not remove the existing EV Guidelines requirements for onion names.
>
> Reference to discussion of EV onion certificates: 
> https://cabforum.org/pipermail/public/2014-November/004569.html
>
> Reference to reasons we required EV in the past: 
> https://cabforum.org/pipermail/public/2015-November/006213.html
>
> Reference to prior discussion of this topic: 
> https://cabforum.org/pipermail/public/2017-November/012451.html
>
>
> The following motion has been proposed by Wayne Thayer of Mozilla and 
> endorsed by Roland Shoemaker of Let's Encrypt and Dimitris 
> Zacharopoulos of HARICA.
>
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based on 
> Version 1.6.7, or based on Version 1.6.7 as modified by ballot SC25:
>
> ADD a paragraph to section 3.2.2.4 of the Baseline Requirements as 
> defined in the following redline: 
> https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9
>
> ADD Appendix C to the Baseline Requirements as defined in the 
> following redline: 
> https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9
>
>
> This ballot modifies the "Guidelines for the Issuance and Management 
> of Extended Validation Certificates" as follows based on version 1.7.1:
>
> MODIFY Appendix F as defined in the following redline: 
> https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9
>
> -- MOTION ENDS --
>
>
> This ballot proposes two Final Maintenance Guidelines.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 25-January 2020 00:00 UTC
>
> End Time: 12-February 2020 20:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 12-February 2020 20:00 UTC
>
> End Time:  19-February 2020 20:00 UTC
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-- 
Chris Kemmerer
Manager of Operations
SSL.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~ To find the reefs, look~~~~~~~~
~~~~     for the wrecks.    ~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200213/3f27f48a/attachment.html>


More information about the Servercert-wg mailing list