On Mon, Feb 27, 2017 at 1:41 PM, Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > The EV Guidelines require certificates issued for .onion include the > cabf-TorServiceDescriptor extension, defined in the EV Guidelines, as part of > these certificates. This is required by Section 11.7.1 (1) of the EV > Guidelines, reading: "For a Certificate issued to a Domain Name with .onion > in the right-most label of the Domain Name, the CA SHALL confirm that, as of > the date the Certificate was issued, the Applicant’s control over the .onion > Domain Name in accordance with Appendix F. "
I don't see anything requiring this extension to be included in certificates. (hat tip to Andrew Ayer for noticing the lack of requirement) > The intent was to prevent collisions in .onion names due to the use of a > truncated SHA-1 hash collision with distinct keys, as that would allow two > parties to respond on the hidden service address using the same key. > > Last week, a SHA-1 collision was announced. > > In examining the .onion precertificates DigiCert has logged, available at > https://crt.sh/?q=facebookcorewwwi.onion , I could not find a single one > bearing this extension, which suggests these are all misissued certificates > and violations of the EV Guidelines. > > During a past discussion of precertificates, at > https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ > , Mozilla did not discuss whether or not it considered precertificates > misissuance, although one module peer (hi! it's me!) suggested they were. > > This interpretation seems consistent with the discussions during the WoSign > issues, as some of those certificates examined were logged precertificates. > > Have I missed something in examining these certificates? Am I correct that > they appear to be violations? > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy