[cabfpub] .onion and .exit

[Jeremy Rowley]

Thanks Adam - I'd greatly appreciate their input on this. 

-----Original Message-----
From: Adam Langley [mailto:agl at google.com] 
Sent: Thursday, October 16, 2014 11:58 AM
To: Jeremy Rowley
Cc: Gervase Markham; Phillip Hallam-Baker; CABFPub
Subject: Re: [cabfpub] .onion and .exit

On Thu, Oct 16, 2014 at 10:42 AM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> I think it makes sense in even a DV concept.  A user seeing that the cert has the .onion address as well as the .com address receives some assurance that both are controlled by the same entity.  If the user can accept google.com as solely controlled by Google, they have some verification under the BRs that the domains in the same certificate are also controlled by that entity.
>
> Granted, EV provides a higher level of assurance, but there is still assurances of control provided by DV and OV.  The goal is to remove anonymity for the service provider while sill giving the user the same anonymity benefits provided by the .onion addresses.

I give a very low weighting to the idea that putting two names in the same certificate is useful because it requires that users dig around in certificates and look at the SAN values. Also, it's quite common that such a guideline goes wrong: hosting providers might have dozens of site names in the same certificate but those sites aren't all run by the same entity -- they are only served by the same entity.

But an EV certificate for a .onion doesn't seem inherently daft. I still think that the Tor project should be invited to voice their opinion however. I'll go point some people at this thread.


Cheers

AGL