[Servercert-wg] Ballot SC27: Version 3 Onion Certificates
tim.hollebeek at digicert.com
Mon Jan 27 10:48:20 MST 2020
Identifying yourself does not defeat the purpose of Tor. In fact, on the server side, it’s extremely useful. For example, Facebook can provide strong proof that a particular Tor service really is run by Facebook, while giving people on the other end of the connection the anonymity benefits of Tor.
That’s basically why EV Tor certificates exist.
From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Servercert-wg
Sent: Friday, January 24, 2020 10:42 PM
To: Wayne Thayer <wthayer at gmail.com>; servercert-wg at cabforum.org
Subject: Re: [Servercert-wg] Ballot SC27: Version 3 Onion Certificates
It could also theoretically be used for IV certificates too, right? It kind of defeats the purpose of TOR but who knows🙂
From: Wayne Thayer via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
To: servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>
Sent: Sat, 25 Jan 2020 1:49
Subject: [Servercert-wg] Ballot SC27: Version 3 Onion Certificates
This begins the discussion period for ballot SC27: Version 3 Onion Certificates
Purpose of Ballot:
This ballot will permit CAs to issue DV and OV certificates containing Tor onion addresses using the newer version 3 naming format.
In ballot 144, later clarified by ballots 198/201, the Forum created rules for issuing EV certificates containing onion addresses. A primary reason for requiring EV level validation was that onion addresses were cryptographically weak, relying on RSA-1024 and SHA-1. More recently a newer "version 3" addressing scheme has removed these weaknesses. For much the same reason that EV certificates are not always a viable option for website operators (e.g. sites operated by individuals), many onion sites would benefit from the availability of DV and OV certificates for version 3 onion addresses.
The Tor Service Descriptor Hash extension required in the EV Guidelines to contain the full hash of the keys related to the .onion address is no longer needed as this hash is part of the version 3 address.
Older version 2 onion addresses are still in use, so this ballot does not remove the existing EV Guidelines requirements for onion names.
Reference to discussion of EV onion certificates: https://cabforum.org/pipermail/public/2014-November/004569.html
Reference to reasons we required EV in the past: https://cabforum.org/pipermail/public/2015-November/006213.html
Reference to prior discussion of this topic: https://cabforum.org/pipermail/public/2017-November/012451.html
The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Roland Shoemaker of Let's Encrypt and Dimitris Zacharopoulos of HARICA.
-- MOTION BEGINS --
This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.7, or based on Version 1.6.7 as modified by ballot SC25:
ADD a paragraph to section 188.8.131.52 of the Baseline Requirements as defined in the following redline: https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..fded04ad7f0390931d38af225bea46a4742fb631
ADD Appendix C to the Baseline Requirements as defined in the following redline: https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..fded04ad7f0390931d38af225bea46a4742fb631
This ballot modifies the "Guidelines for the Issuance and Management of Extended Validation Certificates" as follows based on version 1.7.1:
MODIFY Appendix F as defined in the following redline: https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..fded04ad7f0390931d38af225bea46a4742fb631
-- MOTION ENDS --
This ballot proposes two Final Maintenance Guidelines.
The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 25-January 2020 00:00 UTC
End Time: No earlier than 01-February 2020 00:00 UTC
Vote for approval (7 days)
Start Time: TBD
End Time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4940 bytes
Desc: not available
More information about the Servercert-wg