[cabfpub] Ballot 144 -.onion domains

[kirk_hall at trendmicro.com]

Maybe you're right on that point, Gerv.  

One other question:   Does Tor do revocation checking for .onion certs?  I'm guessing not for privacy reasons...  I know some browsers have given up some revocation checking (a mistake in my opinion), but if we know an application never checks for revocation as a matter of policy, that would concern me.  There would be no way to remove a bad cert (used for fraud or abuse, or misissued to the wrong party) from the Tor system, even if the CA revokes it.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Friday, February 13, 2015 9:58 AM
To: Kirk Hall (RD-US); Tom Ritter
Cc: Jeremy Rowley (jeremy.rowley at digicert.com); Ben Wilson (Ben.Wilson at digicert.com); CABFPub (public at cabforum.org)
Subject: Re: [cabfpub] Ballot 144 -.onion domains

On 13/02/15 17:51, kirk_hall at trendmicro.com wrote:
> Terrific calculations, Tom -- but I'm wondering how hard it was for 
> Facebook to get their multiple .onion domains that included 
> "facebook".
>
> Yes, I'm concerned about the possibility of an exact clash, but I'm 
> also concerned about the ability of a hacker to get a .onion domain 
> that includes names commonly sought by hackers.

Insofar as this issue is in scope for the CAB Forum, why can't we solve it using exactly the same mechanisms we use to solve it for non-onion domain names?

Gerv

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>