On Tue, Apr 24, 2018 at 03:02:16PM -0400, Mike Tigas wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hey y'all,
Just wanted to report in here with a little FYI (since knowing about this may be helpful to some folks here).
I'm in the middle of renewing the cert forĀ https://www.propub3r6espa33w.onion/%C2%A0and threw a V3 onion into the CSR (since I'll probably tinker with rolling that out at some point later this year). (Also: let's not relitigate whether one should even have such certs for onions; it makes sense in our usecase.) Apparently DigiCert's system currently has issues handling this right now (we went back and forth on weird systems delays during this order), but now they've narrowed down the problem:
The issue with the V3 URIs is that they use ECC keys and our system for .onions was built to only accept RSA keys. They are working on this fix and I will let you know as soon as I can get this order issued with your V3 names included.
Yeah, I saw this case pop-up in a thread about misissuance of TLS certs with onion addresses last month[0] and there was a specific case including a v3 address [1]. Sorry, I should've sent an email about this.
Specifically, DigiCert said:
[...] Unfortunately, it looks like the fetch function with v3 is not supported so we'll have to change how we pull and include the descriptor. Since the key is already in the cert, I agree there is nothing gain by including it, but I doubt there's strong incentives to change the guidelines right now. We'll modify to include it.
So this may be a combination of needing new functionality on the CA-side, plus needing controller support on the tor-side (unless they wrote their own), plus whatever else is missing.
[0] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/7NzJgDom... [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/7NzJgDomx_M/nycb...