[cabfpub] DV issuance for next-generation onion services

Seth David Schoen schoen at eff.org
Tue Nov 7 01:27:02 UTC 2017


Ryan Sleevi writes:

> On Mon, Nov 6, 2017 at 8:56 AM, Fotis Loukos <fotisl at ssl.com> wrote:

> > I agree with Seth Schoen's proposal for using 3.2.2.4.6, 3.2.2.4.9 and
> > 3.2.2.4.10 since these methods prove control of the web server serving
> > the content. I would also like to suggest adding a tor specific method
> > that proves possession of the private key corresponding to the NG .onion
> > address, such as b from EV SSL guidelines appendix F.
> 
> Indeed; it seems structurally better to avoid introducing additional
> dependencies (e.g. a proper functioning Tor implementation), and the EVG's
> method of proof of possession provides such a strong guarantee without
> supplemental dependency.

I think I agree in principle with re-using this method, but the definition
of the method currently contains at least EV-specific concept, the
Verified Method of Communication ("[a] caSigningNonce attribute that
[...] [is] delivered to the Applicant through a Verified Method of
Communication"), so it would require some adjustment to be relevant to
DV issuance.  One option is simply to remove 2(b)(i)(3) for DV issuance
purposes.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107



More information about the Public mailing list