DigiCert .onion certificates without Tor Service Descriptor Hash extension

In the EV Guidelines [1], Appendix F states "The CA MUST include the
CAB Forum Tor Service Descriptor Hash extension in the TBSCertificate
convey hashes of keys related to .onion addresses." This language was
added in Ballot 201 [2], which had an effective date of 8 July 2017.

The following certificates (and precertificates if the corresponding
certificate is not in a public CT log) were issued by DigiCert after 8
July for .onion domains, but lack the necessary extension:
https://crt.sh/?q=240277340 (revoked 26 October 2017)
https://crt.sh/?q=261570255
https://crt.sh/?q=261570338
https://crt.sh/?q=261570380
https://crt.sh/?q=261570384
https://crt.sh/?q=261579788
https://crt.sh/?q=261601212
https://crt.sh/?q=261601280
https://crt.sh/?q=261601281
https://crt.sh/?q=261601284
https://crt.sh/?q=261988060
https://crt.sh/?q=326491168
https://crt.sh/?q=326830043
https://crt.sh/?q=328308725
https://crt.sh/?q=328961187
https://crt.sh/?q=329559222
https://crt.sh/?q=330180704
https://crt.sh/?q=351449233 (revoked 10 March 2018 after initial email
to DigiCert)

This was previously discussed on m.d.s.p about a year ago [3].

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.6.8.pdf
[2] https://cabforum.org/2017/06/08/2427/
[3] https://groups.google.com/d/msg/mozilla.dev.security.policy/6pBLHJBFNts/ZtNID_xfAgAJ
0
Alex
3/12/2018 3:36:32 AM
mozilla.dev.security.policy 1332 articles. 2 followers. Post Follow

0 Replies
54 Views

Similar Articles

[PageSpeed] 21

Reply: