[Servercert-wg] [EXTERNAL] Voting Begins: Ballot SC27v3: Version 3 Onion Certificates

Aleksandra Kapinos Aleksandra.Kapinos at assecods.pl
Wed Feb 19 10:01:30 MST 2020 

Certum votes Yes on ballot SC27v2



Best regards,
Aleksandra Kapinos
Quality Specialist
Security &  Trust Services Division
Asseco Data Systems S.A.
Office in Szczecin
ul. Bajeczna 13
71-838 Szczecin
aleksandra.kapinos at assecods.pl<mailto:aleksandra.kapinos at assecods.pl>
assecods.pl

Asseco Data Systems S.A. Headquarters: Podolska 21, 81-321 Gdynia/Poland. Tax Identification Number (NIP): 517-035-94-58. Statistical ID number (REGON): 180853177. National Court Register: 0000421310 District Court in Gdańsk – Północ in Gdańsk, VIII Commercial Department of the National Court Register. Share capital: PLN 120 002 940,00.

This information is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Unauthorised use of this information by person or entity other than the intended recipient is prohibited by law. If you received this by mistake, please immediately contact the sender by e-mail or by telephone and delete this information from any computer. Thank you. Asseco Data Systems S.A.



From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Wednesday, February 12, 2020 9:00 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: [EXTERNAL] [Servercert-wg] Voting Begins: Ballot SC27v3: Version 3 Onion Certificates



This begins the voting period for Version 3 of ballot SC27: Version 3 Onion Certificates



Purpose of Ballot:

This ballot will permit CAs to issue DV and OV certificates containing Tor onion addresses using the newer version 3 naming format.



In ballot 144, later clarified by ballots 198/201, the Forum created rules for issuing EV certificates containing onion addresses. A primary reason for requiring EV level validation was that onion addresses were cryptographically weak, relying on RSA-1024 and SHA-1. More recently a newer "version 3" addressing scheme has removed these weaknesses. For much the same reason that EV certificates are not always a viable option for website operators (e.g. sites operated by individuals), many onion sites would benefit from the availability of DV and OV certificates for version 3 onion addresses.



The Tor Service Descriptor Hash extension required in the EV Guidelines to contain the full hash of the keys related to the .onion address is no longer needed as this hash is part of the version 3 address.



Older version 2 onion addresses are still in use, so this ballot does not remove the existing EV Guidelines requirements for onion names.



Reference to discussion of EV onion certificates: https://cabforum.org/pipermail/public/2014-November/004569.html<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fpublic%2F2014-November%2F004569.html&data=02%7C01%7CAleksandra.Kapinos%40assecods.pl%7Cc07e2feeb5e04aa8bdba08d7b3e49d08%7C598be90934974762a128e8e82e732db1%7C0%7C0%7C637175666783163848&sdata=uG7sDWzMrsuWzzP%2FnvOKD6Qeatx2%2B9p79S5d2Bl876I%3D&reserved=0>



Reference to reasons we required EV in the past: https://cabforum.org/pipermail/public/2015-November/006213.html<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fpublic%2F2015-November%2F006213.html&data=02%7C01%7CAleksandra.Kapinos%40assecods.pl%7Cc07e2feeb5e04aa8bdba08d7b3e49d08%7C598be90934974762a128e8e82e732db1%7C0%7C0%7C637175666783173837&sdata=7QlR2XgqSrcF8WbM%2FdI%2F6fFovJyQX5z1TgwCD51hQRw%3D&reserved=0>



Reference to prior discussion of this topic: https://cabforum.org/pipermail/public/2017-November/012451.html<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fpublic%2F2017-November%2F012451.html&data=02%7C01%7CAleksandra.Kapinos%40assecods.pl%7Cc07e2feeb5e04aa8bdba08d7b3e49d08%7C598be90934974762a128e8e82e732db1%7C0%7C0%7C637175666783173837&sdata=9K7Z4Amtyaz0llHhbMTpfiM5nwoJ4mlbbRwFFAnbT3k%3D&reserved=0>


The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Roland Shoemaker of Let's Encrypt and Dimitris Zacharopoulos of HARICA.




-- MOTION BEGINS --

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.7, or based on Version 1.6.7 as modified by ballot SC25:

ADD a paragraph to section 3.2.2.4 of the Baseline Requirements as defined in the following redline: https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9&data=02%7C01%7CAleksandra.Kapinos%40assecods.pl%7Cc07e2feeb5e04aa8bdba08d7b3e49d08%7C598be90934974762a128e8e82e732db1%7C0%7C0%7C637175666783183836&sdata=S8PIJ0gyZ7WNkKEGOEBhKRLwBTjf5%2FYj%2FjmsoQ%2FMRPw%3D&reserved=0>



ADD Appendix C to the Baseline Requirements as defined in the following redline: https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9&data=02%7C01%7CAleksandra.Kapinos%40assecods.pl%7Cc07e2feeb5e04aa8bdba08d7b3e49d08%7C598be90934974762a128e8e82e732db1%7C0%7C0%7C637175666783183836&sdata=S8PIJ0gyZ7WNkKEGOEBhKRLwBTjf5%2FYj%2FjmsoQ%2FMRPw%3D&reserved=0>





This ballot modifies the "Guidelines for the Issuance and Management of Extended Validation Certificates" as follows based on version 1.7.1:



MODIFY Appendix F as defined in the following redline: https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9&data=02%7C01%7CAleksandra.Kapinos%40assecods.pl%7Cc07e2feeb5e04aa8bdba08d7b3e49d08%7C598be90934974762a128e8e82e732db1%7C0%7C0%7C637175666783193837&sdata=UNGmAQWD1D0RBrRL4ACPcAqHN9HLXBhwcUCSDxQo%2BBM%3D&reserved=0>



-- MOTION ENDS --


This ballot proposes two Final Maintenance Guidelines.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 25-January 2020 00:00 UTC

End Time: 12-February 2020 20:00 UTC

Vote for approval (7 days)


Start Time: 12-February 2020 20:00 UTC

End Time:  19-February 2020 20:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200219/8dd3e478/attachment-0001.html>

More information about the Servercert-wg mailing list