[cabfpub] .onion and .exit

Jeremy.Rowley jeremy.rowley at digicert.com
Thu Oct 23 15:11:07 MST 2014


Thanks Ryan.  Adam didn't see as strongly opposed as you are in this 
email.  Also, Adam was going to reach out to Tor and get them to provide 
input.  Is that still happening?

Jeremy


On 10/23/2014 3:30 PM, Ryan Sleevi wrote:
> The BRs are clear in Section 9.2.1 that putting values other than 
> dNSName and iPAdress in a SAN are PROHIBITED. It states very clearly 
> that the entries of this type MUST be of these two forms.
>
> This is because the BRs describe precisely how to validate these 
> information fields. Other field types, such as URI or rfc822name, are 
> NOT described for how to validate in the BRs, and thus are prohibited 
> (as part of the general restrictions of the BRs to prohibit any 
> unvalidated information / any information that's not consistently 
> validated).
>
> Similarly, per Section 9.2.1, the names .onion and .exit constitute 
> Internal Server Names, and are thus deprecated and STRONGLY 
> discouraged. We would not support any CA issuing for such names.
>
> If and when such a time as IANA or the IETF takes action to indicate 
> that these are Reserved Domain Names, they would still constitute 
> Internal Server Names and thus not be permissable to issue, the same 
> as issuing a certificate for foo.localhost would not be valid.
>
> On Wed, Oct 22, 2014 at 6:40 PM, Jeremy Rowley 
> <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>> wrote:
>
>     Any thoughts from the browers on Peter's idea?  Can CAs use SANs
>     options other than DNS Name for this type of information? Do
>     browsers use the other options?
>
>     Jeremy
>
>     -----Original Message-----
>     From: public-bounces at cabforum.org
>     <mailto:public-bounces at cabforum.org>
>     [mailto:public-bounces at cabforum.org
>     <mailto:public-bounces at cabforum.org>] On Behalf Of Jeremy Rowley
>     Sent: Friday, October 17, 2014 8:21 AM
>     To: Gervase Markham; Adam Langley
>     Cc: Phillip Hallam-Baker; CABFPub
>     Subject: Re: [cabfpub] .onion and .exit
>
>     Adding Peter Bowen's comment to the discussion:
>
>     What about using the uniformResourceIdentifier option for
>     subjectAlternativeName?
>
>     The Baseline Requirements say "Each entry MUST be either a dNSName
>     containing the Fully-Qualified Domain Name or an iPAddress
>     containing the IP address of a server", which would appear to rule
>     this out, but I'm not sure if that was the intention.  Do the BRs
>     really mean to disallow putting rfc822Name, directoryName, or
>     other types of names in the SAN?
>
>     Thanks,
>     Peter
>
>
>     -----Original Message-----
>     From: Gervase Markham [mailto:gerv at mozilla.org
>     <mailto:gerv at mozilla.org>]
>     Sent: Friday, October 17, 2014 3:18 AM
>     To: Jeremy Rowley; Adam Langley
>     Cc: Phillip Hallam-Baker; CABFPub
>     Subject: Re: [cabfpub] .onion and .exit
>
>     On 16/10/14 18:01, Jeremy Rowley wrote:
>     > I asked a couple of companies who have requested these types of
>     certs
>     > about this and here is one reason for wanting a cert:
>
>     It looks like the real issue here is proving real-world ownership
>     and control of .onion addresses, either by tying them to an
>     existing real-world website (DV with multiple SANs) or an identity
>     (EV).
>
>     In the EV case, the UI would show the tied identity, but not in
>     the DV case. Although the Tor Browser Bundle could be updated to
>     do something smart - if there's a .onion address, instead show the
>     DNS name from the first non-onion SAN, or something.
>
>     (You may remember a while back I suggested that internal server
>     name certs should have at least one globally-resolvable name in,
>     and that browsers should display that instead, even if the
>     internal name was used. This is a similar idea.)
>
>     Gerv
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141023/cc005305/attachment-0001.html 


More information about the Public mailing list