[cabfpub] .onion and .exit

Ryan Sleevi sleevi at google.com
Thu Oct 23 16:32:43 MST 2014


I think that's more contingent upon whatever steps IANA takes and the
interest from the developer community.

Put differently, I think placing it as a normal dNSName COULD be perfectly
fine. I don't think it really reduces risk to use an alternate name, for
any meaningful definition of risk, IF it is appropriately carved out from
the DNS.
On Oct 23, 2014 4:27 PM, "Jeremy.Rowley" <jeremy.rowley at digicert.com> wrote:

>  I completely agree.  Until we hear from Tor and other interested parties,
> there isn't a need to formulate a ballot for the exception. However,
> assuming support is shown for Tor, would putting it in a lesser used SAN
> entry be the best place rather than creating a broader exception or using a
> different field?
>
> Jeremy
>
>
> On 10/23/2014 5:01 PM, Ryan Sleevi wrote:
>
> My comment was merely that its not permitted under the BRs today, and a
> ballot would need to change that.
>
> As Adam notes, it is possible to come up with unique identification
> schemes, if the necessary steps are taken first (IANA registration and a BR
> ballot among them).
>
> To support a ballot, demonstration of interest from the affected parties
> would be needed.
> On Oct 23, 2014 3:52 PM, "Adam Langley" <agl at google.com> wrote:
>
>> On Thu, Oct 23, 2014 at 3:11 PM, Jeremy.Rowley
>> <jeremy.rowley at digicert.com> wrote:
>> > Thanks Ryan.  Adam didn't see as strongly opposed as you are in this
>> email.
>> > Also, Adam was going to reach out to Tor and get them to provide
>> input.  Is
>> > that still happening?
>>
>> I did point them at this thread. I'm guessing that they have lots to
>> do I'm afraid.
>>
>> Issuing in a non-IANA domain is not to be done lightly and is against
>> the Baseline currently. However, I don't agree that this is
>> intrinsically the same as internal names since a specific onion
>> address does globally, uniquely identify someone. It is something that
>> could, plausibly, have a certificate.
>>
>> But if .onion is ok, what about all the other pseudo-TLDs that people
>> use? If Tor want this then I wonder that they might need to support,
>> say, onion.torproject.org in order to root it correctly in IANA space.
>> Then it's a change to the Baseline validation rules, which is still a
>> one-off hack, but I like Tor so I don't discount it out of hand.
>>
>> But without Tor fighting for it I'm not sure that there's much hope.
>>
>>
>> Cheers
>>
>> AGL
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141023/127612c0/attachment-0001.html 


More information about the Public mailing list