On 03/11/2017 07:08 μμ, Seth David Schoen via Public wrote: > Peter Bowen writes: > >> I’m honestly not a big fan of being limited to these three methods — they >> all are methods which have be completed by someone with access to the >> “backend” server but not necessarily the onion proxy. What options might >> exist for validation that are closer to the DNS validation method for >> Internet names? How could a CA confirm that they onion name “owner” has >> approved the request? > > You're right that none of these methods could be completed by someone > with access to the onion proxy alone. I think the closest analogy would > indeed call for a new onion-specific method, which would probably > involve signing a challenge with the onion key or with a key signed by > the onion key. >
Hello, I think that we should start with one basic question, what does DV validation mean? Does it mean that the applicant is the owner of the domain name or does it mean that the applicant is in control of the web server serving the content? In the classic WebPKI case, this is the same thing. However, in the tor case this is different. For example, putting "HiddenServicePort 80 www.google.com:80" in my tor config doesn't make me owner of google's servers! Trying to decipher the meaning, I checked appendix F of the EV SSL guidelines where it states: The CA MUST verify the Applicant’s control over the .onion Domain Name using one of the following: a. The CA MAY verify the Applicant’s control over the .onion service by posting a specific value at a well-known URL under RFC5785. b. The CA MAY verify the Applicant’s control over the .onion service by having the Applicant provide a Certificate Request signed using the .onion public key if the Attributes section of the certificationRequestInfo contains: .... I am pretty confident that the former proves the applicant has control over the web server serving the content while b proves that the applicant is the owner of the onion name. I propose that before continuing the discussion on DV issuance for NG onion services (which I fully support), we should decide what DV validation actually means, and also correct the EV SSL guidelines. My best guess is that DV (= Domain Validation) means that the applicant is the owner of the domain name. I also consider this the correct and needed interpretation since TLS provides confidentiality and integrity over a connection between two endpoints. In the tor case, this means that the connection between the user and the proxy is encrypted. The user doesn't have any way of knowing if the connection between the proxy and the web server is encrypted. Thus any information in the subject should be related to the proxy and not to the webserver. Regards, Fotis -- Fotis Loukos, PhD Director of Security Architecture SSL Corp e: [email protected] w: https://www.ssl.com _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
