[cabfpub] Ballot 144 -.onion domains

[Gervase Markham]

On 12/02/15 20:43, kirk_hall at trendmicro.com wrote:
> For example, Evil Corp. and Angel Corp. could each submit a request for
> a .onion cert and get the same domain: _[same 16 digit hash of their
> public keys].onion_ if their public keys hash to the same value.  One
> cert would say O=Evil Corp. the other would say O=Angel Corp., so that a
> .onion domain would not be uniquely identified with one subject.  While
> unlikely, it could happen.

Have you been able to put a figure on the likelihood of this occurrence?

I think I could calculate it, but I'm interested in what figure you came
up with that led to your concern.

> (2)  Does this also create an opportunity for a hacker?  For example,
> one of the .onion domains in the SANs field of the Facebook cert you
> created is _*.xx.fbcdn23dssr3jqnq.onion_ – could a hacker create a
> public key that would hash to the same value in order to get a cert with
> the same .onion domain and imitate the Facebook cert?  (This is maybe
> the more serious case.)

Being able to create some text which hashes to a specific, defined value
that you are targetting would be what's called a Preimage attack:
http://en.wikipedia.org/wiki/Preimage_attack

SHA-1 has no known preimage attacks.

Tor .onion names use 80 bits of the SHA-1 hash, which is not the full
hash, so it's possible that they might be slightly easier to attack.
While there are no known attacks, my understanding is that the Tor
people are looking at moving to SHA-256 as a precautionary measure.

> (3) Another concern is there is no central registry to identify the
> owner of a .onion domain (of course, there could be multiple owners of
> the domain under the scenario above).  If there is no Subject info in
> the O field, etc., with no registry there is no real way to contact the
> domain (or cert owner). 

.onion certs are going to be EV, right? So they would have Subject info
in the O field.

Gerv