[cabfpub] .onion and .exit
jeremy.rowley at digicert.com
Tue Oct 14 09:29:42 MST 2014
Yeah - we specified IANA. I can see the point in providing certs. I think Tor uses NSS for its roots, and I know there has been use of bogus digital certificates to spy on the network.
From the BRs:
Internal Name: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of
a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance
because it does not end with a Top Level Domain registered in IANA’s Root Zone Database
From: hallam at gmail.com [mailto:hallam at gmail.com] On Behalf Of Phillip Hallam-Baker
Sent: Tuesday, October 14, 2014 10:21 AM
To: Jeremy Rowley
Subject: Re: [cabfpub] .onion and .exit
On Tue, Oct 14, 2014 at 12:15 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> Right now the CAB Forum guidelines treat .onion and .exit as internal
> names, despite them being understandable and unique addresses in Tor.
> I’m wondering whether CAs should support issuance of certs to these
> names if the server operator can demonstrate control over the service.
> Right now, issuance of these certs will be prohibited next year since
> the definition of internal names is basically anything not registered
> by IANA. Is there any interest in creating an exception for these anonymous services?
Did we really specify IANA or ICANN? I was pretty sure we were avoiding that.
That said, I don't see the point of issuing certificates for an anonymizing network.
More information about the Public