[cabfpub] DV issuance for next-generation onion services
Seth David Schoen
schoen at eff.org
Fri Nov 3 16:31:26 UTC 2017
Gervase Markham writes:
> I think you make a good case. We would need to specify carefully which
> validation methods make sense but other than that, I agree that the
> cryptographic improvements in NG names make the EV requirement
> superfluous, and that DV should be permitted.
Thanks for the encouragement, Gerv! The methods that I think are
inapplicable to onion sites are
3.2.2.4.1 Validating the Applicant as a Domain Contact
3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact
3.2.2.4.3 Phone Contact with Domain Contact
3.2.2.4.4 Constructed Email to Domain Contact
3.2.2.4.5 Domain Authorization Document
3.2.2.4.7 DNS Change
3.2.2.4.8 IP Address
This is because onion sites don't use DNS lookups, don't have registrars,
and don't have domain contacts.
That leaves only the three methods based on connecting to the site itself:
3.2.2.4.6 Agreed‐Upon Change to Website
3.2.2.4.9 Test Certificate
3.2.2.4.10 TLS Using a Random Number
It's possible to imagine creating a new validation method based on
properties of the onion site protocol itself (e.g., ability to sign
a challenge with the onion key, or ability to sign a challenge with a
key signed with the onion key). Right now, my intuition is that this
would add a lot of extra complexity for minimal benefit, so I wouldn't
advocate any onion-specific validation methods.
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
More information about the Public
mailing list