In the EV Guidelines [1], Appendix F states "The CA MUST include the CAB Forum Tor Service Descriptor Hash extension in the TBSCertificate convey hashes of keys related to .onion addresses." This language was added in Ballot 201 [2], which had an effective date of 8 July 2017.
The following certificates (and precertificates if the corresponding certificate is not in a public CT log) were issued by DigiCert after 8 July for .onion domains, but lack the necessary extension: https://crt.sh/?q=240277340 (revoked 26 October 2017) https://crt.sh/?q=261570255 https://crt.sh/?q=261570338 https://crt.sh/?q=261570380 https://crt.sh/?q=261570384 https://crt.sh/?q=261579788 https://crt.sh/?q=261601212 https://crt.sh/?q=261601280 https://crt.sh/?q=261601281 https://crt.sh/?q=261601284 https://crt.sh/?q=261988060 https://crt.sh/?q=326491168 https://crt.sh/?q=326830043 https://crt.sh/?q=328308725 https://crt.sh/?q=328961187 https://crt.sh/?q=329559222 https://crt.sh/?q=330180704 https://crt.sh/?q=351449233 (revoked 10 March 2018 after initial email to DigiCert) This was previously discussed on m.d.s.p about a year ago [3]. [1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.6.8.pdf [2] https://cabforum.org/2017/06/08/2427/ [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/6pBLHJBFNts/ZtNID_xfAgAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
