Re: [Acme] draft-misell-acme-onion

Sat, 15 Apr 2023 19:44:52 -0700

5.2 has few typos CAA when it should mean CA: (CAA can't read any descriptor, it's a text)
For running CAA in general, I think appendix B of CA/B BR method b made in a way that CA doesn't have to run Tor client at all. And it actually allows signing a cert for not yet hosted onion domain, given they control right private key to induce that domain name. In that case making CA required to run Tor client to read CAA conflicts this goal. 


And challenge 3.2, it doesn't work for public CA:  in acme context, 
CSR's pubkey sent in finalization is what CA will sign, but for 
challange perspective key there need to be ed25519 key (because it's 
onion v3 private key,) but CA/B does not allow signing ed25519 key in 
TLS certificate, you can't reuse CSR for both purpose.



2023-04-16 오전 1:22에 Q Misell 이(가) 쓴 글:


Hi all,



Hope you've all recovered from IETF116, it was lovely seeing you all 
there. Thanks to those who already gave me feedback on my draft.



As promised in my brief presentation at the WG meeting, here's my post 
introducing my draft draft 
<https://datatracker.ietf.org/doc/draft-misell-acme-onion/>-misell-acme-onion 
<https://datatracker.ietf.org/doc/draft-misell-acme-onion/> to ease 
issuance of certificates to Tor hidden services.



DigiCert and HARICA already issue X.509 certificates to Tor hidden 
services but there is no automation whatsoever on this. From my 
discussions with the Tor community this is something that bothers them 
so I've taken to writing this draft to hopefully address that.


The draft defines three ways of validation:
- http-01 over Tor
- tls-alpn-01 over Tor

- A new method onion-csr-01, where the CSR is signed by the key of the 
onion service



An explicit non goal is to define validation methods not already 
approved by the CA/BF, however if someone can make a compelling 
argument for an entirely novel method I wouldn't be entirely opposed 
to it.



Looking forward to your feedback, and some indication that this would 
be worth adopting as a WG draft.


Thanks,
Q Misell

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme






















					Reply via email to