In the EV Guidelines [1], Appendix F states "The CA MUST include the
CAB Forum Tor Service Descriptor Hash extension in the TBSCertificate
convey hashes of keys related to .onion addresses." This language was
added in Ballot 201 [2], which had an effective date of 8 July 2017.

The following certificates (and precertificates if the corresponding
certificate is not in a public CT log) were issued by DigiCert after 8
July for .onion domains, but lack the necessary extension: (revoked 26 October 2017) (revoked 10 March 2018 after initial email
to DigiCert)

This was previously discussed on m.d.s.p about a year ago [3].

dev-security-policy mailing list

Reply via email to