[cabf_validation] Onion Proposal

Wayne Thayer wthayer at mozilla.com
Wed Dec 18 18:34:02 MST 2019 

As I mentioned on the last call, I'd like to propose that we permit the
issuance of DV/OV certs to Tor onion addresses. A rough draft of the
proposed change is at
https://github.com/cabforum/documents/compare/master...wthayer:br-onion

I'd like to discuss this on tomorrow's Validation SC call.

Credit to Fotis Loukos for a prior proposal upon which this is based.

Comments:
* This change permits version 3 onion names in all types of certificates
* It appears that version 2 addresses are still in wide use, so we
shouldn't yet remove the provisions for those addresses from the EV
Guidelines
* The Tor Service Descriptor Hash extension required in the EVGLs to
contain the full hash of the keys related to the .onion address is no
longer needed as this hash is included in the version 3 address
* BR method 3.2.2.4.6 appears to be the only currently valid 3.2.2.4 method
for verifying control. We can add the new ACME version of method 10 when it
is added to section 3.2.2.4
* I've also included support for the "CSR verification" method defined in
appendix F of the EVGLs
* We may want to handle the Internal Name exception by modifying the
definition or section 4.2.2, rather than in (3) of appendix C

Motivation:
In ballot 144, later clarified by ballots 198/201, the Forum created rules
for issuing EV certificates containing onion addresses. A primary reason
for requiring EV level validation was that onion addresses were
cryptographically weak, relying on RSA-1024 and SHA-1. More recently a
newer "version 3" addressing scheme has addressed these weaknesses. For
much the same reason that EV certificates are not always a viable option
for website operators (e.g. sites operated by individuals), many onion
sites would benefit from the availability of DV and OV certificates for
version 3 onion addresses.

Reference to discussion of EV onion certificates:
https://cabforum.org/pipermail/public/2014-November/004569.html
Reference to reasons we required EV in the past:
https://cabforum.org/pipermail/public/2015-November/006213.html
Reference to prior discussion of this topic:
https://cabforum.org/pipermail/public/2017-November/012451.html

Thanks,

Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20191218/2943d586/attachment.html>

More information about the Validation mailing list