[Servercert-wg] Message
Aaron Gable
aaron at letsencrypt.org
Mon Jul 31 22:41:12 UTC 2023
Agreed, I look forward to discussing this with the whole group.
In general I strongly approve of having CAA checks for all forms of
issuance. However, this version of CAA (implemented as a new second layer
hidden service descriptor) requires the CA to operate a Tor Client in order
to inspect it. This (in my opinion) completely obviates the benefits of the
proposed "onion-csr-01" method (equivalent to the current BRs Appendix B
2.b. method) -- namely that the whole validation process can be conducted
without the CA operating a Tor client to reach out to the onion service in
question. I believe that requiring CAA checks *of this form* will prevent
adoption / implementation by CAs, and thus defeats the purpose of the draft.
Aaron
On Thu, Jul 27, 2023 at 10:40 AM Tim Hollebeek via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hello Q,
>
>
>
> My opinion is that this would be a great discussion to have at an upcoming
> meeting of the Validation Subcommittee.
>
>
>
> -Tim
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Dean
> Coclin via Servercert-wg
> *Sent:* Wednesday, July 26, 2023 7:22 PM
> *To:* servercert-wg at cabforum.org
> *Subject:* [Servercert-wg] Message
>
>
>
> One of the new Interested Party members tried to post to the group but it
> bounced. I’ve asked Wayne to look at it but in the meantime, I’m reposting
> the message for him:
>
>
>
> I'd like to start some discussion on the WG's opinions of CAA for Tor
> hidden services, using my draft-ietf-acme-onion
> <https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/cNl2iFrs___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjQyMTU6MDk0MWNmODEyMzRiODQ1NDJmNDQ3ZDM3ZGVlYTJlMTllMjg2YTJmMTc2NWMwODE1ZmY4ODhiNGFlOGMzZTEwZjpoOkY>
> and my Tor Spec proposal 343-rend-caa
> <https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/YAae97pn___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjBmOGU6NjBhMWYzOTE5ZDVkYmQ1Y2EzZjJkZDA5NTVmZDA1ZjZmNzY2NjdlOGFhOTk2NmUxMTU4M2I1MGZlZWMwNWQwYjpoOkY>,
> as part of the ACME for Onions
> <https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/wi4TBMXN___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjQ4NDU6ZjExMjlmOGQzNWZjZjNhZGNjMDhlZWVhZDRlNmQyODBhMTAzOTJiMjUzMWExYjM1OGEzZTJmODAyZDFlMGQzMzpoOkY>
> project.
>
>
>
> Specifically:
>
> - is this something the WG likes?
>
> - should CAA checking be required for Tor?
>
>
>
>
>
> Thanks,
>
> Q Misell
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230731/11d34c93/attachment-0001.html>
More information about the Servercert-wg
mailing list