[Servercert-wg] Ballot SC27: Version 3 Onion Certificates

[Wayne Thayer]

Thank you Tobias, that is a great point. My intent was not to require a
cert containing an onion name to contain only onion names. Does the
following change (in all caps) to section 3.2.2.4 fix that?

The CA SHALL confirm that prior to issuance, the CA has validated each
Fully-Qualified Domain Name (FQDN), other than a Domain Name with .onion in
the right-most label of the Domain Name, listed in the Certificate using at
least one of the methods listed below. In addition, when issuing a
Certificate that includes an FQDN with "onion" as the rightmost label, the
CA SHALL confirm that prior to issuance, the CA has validated each FQDN
listed in the Certificate with "onion" as the rightmost label in accordance
with Appendix C.

- Wayne

On Mon, Jan 27, 2020 at 7:19 AM Tobias S. Josefowitz <tobij at opera.com>
wrote:

> Hi!
>
> On Fri, 24 Jan 2020, Wayne Thayer via Servercert-wg wrote:
>
> > This ballot will permit CAs to issue DV and OV certificates containing
> Tor
> > onion addresses using the newer version 3 naming format.
> >
> >
> https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..fded04ad7f0390931d38af225bea46a4742fb631
>
> Just a thought; is requiring all FQDNs present in the cert to be verified
> in accordance with Appendix 3 as soon as one FQDN present in the cert is a
> ".onion"-FQDN the best and/or most clear way of saying "a certificate
> including so much as one '.onion'-FQDN may only include '.onion'-FQDNs"?
>
> Tobi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200127/80791cd8/attachment.html>