ietf
[Top] [All Lists]

Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

2015-07-16 11:05:00
On Thu, Jul 16, 2015 at 12:44 AM, Joe Hildebrand 
<hildjj(_at_)cursive(_dot_)net> wrote:
On 15 Jul 2015, at 5:37, David Conrad wrote:

I try to be pragmatic. Given I do not believe that refusing to put ONION
in the special names registry will stop the use of .ONION, the size of the
installed base of TOR implementations, and the implications of the use of
that string in certificates, I supporting moving ONION to the special names
registry.  I really (really) wish there was more concrete, objective metrics
(e.g., size of installed base or some such), but my gut feeling is that TOR
is pretty well deployed and given the CAB Forum stuff, I see no particular
reason to delay (after all, it's not like the deployed base of TOR is likely
to get smaller).


I don't see any mention of the CAB Forum stuff in the draft.  Has anyone
done the analysis to see if CAB Forum members really will issue certs to
.onion addresses if we do this?  Do they issue certs for .example or .local
today?

There are at least a few CAs issuing for .onion right now, under the
exceptions that are going to expire in a few months.  So I assume that
these CAs will be interested in issuing if policy allows.

My understanding is that the basic requirement that CABF has is that a
name either be clearly a valid DNS name or clearly *not* a valid DNS
name.  (And in either case, that the applicant be able to demonstrate
control.)  Right now, that's ambiguous.  Adding .onion to the RFC 6761
registry would remove the ambiguity, since it would officially mark
names under .onion as not DNS names.

--Ricahrd



If certificate issuance is one of the key drivers for this work, there needs
to be information in the draft that shows that this approach will work.

--
Joe Hildebrand


_______________________________________________
DNSOP mailing list
DNSOP(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/dnsop

<Prev in Thread] Current Thread [Next in Thread>