On Tue, Apr 24, 2018 at 03:02:16PM -0400, Mike Tigas wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hey y'all, > > Just wanted to report in here with a little FYI (since knowing about this may > be helpful to some folks here). > > I'm in the middle of renewing the cert for > https://www.propub3r6espa33w.onion/ and threw a V3 onion into the CSR (since > I'll probably tinker with rolling that out at some point later this year). > (Also: let's not relitigate whether one should even have such certs for > onions; it makes sense in our usecase.) Apparently DigiCert's system > currently has issues handling this right now (we went back and forth on weird > systems delays during this order), but now they've narrowed down the problem: > > > The issue with the V3 URIs is that they use ECC keys and our system > > for .onions was built to only accept RSA keys. They are working on > > this fix and I will let you know as soon as I can get this order > > issued with your V3 names included.
Yeah, I saw this case pop-up in a thread about misissuance of TLS certs with onion addresses last month[0] and there was a specific case including a v3 address [1]. Sorry, I should've sent an email about this. Specifically, DigiCert said: > [...] Unfortunately, it looks like the fetch function with v3 is not > supported so we'll have to change how we pull and include the > descriptor. Since the key is already in the cert, I agree there is > nothing gain by including it, but I doubt there's strong incentives > to change the guidelines right now. We'll modify to include it. So this may be a combination of needing new functionality on the CA-side, plus needing controller support on the tor-side (unless they wrote their own), plus whatever else is missing. [0] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/7NzJgDomx_M [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/7NzJgDomx_M/nycbt3QIAwAJ _______________________________________________ tor-onions mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
