-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hey y'all, Just wanted to report in here with a little FYI (since knowing about this may be helpful to some folks here). I'm in the middle of renewing the cert for https://www.propub3r6espa33w.onion/ and threw a V3 onion into the CSR (since I'll probably tinker with rolling that out at some point later this year). (Also: let's not relitigate whether one should even have such certs for onions; it makes sense in our usecase.) Apparently DigiCert's system currently has issues handling this right now (we went back and forth on weird systems delays during this order), but now they've narrowed down the problem:
The issue with the V3 URIs is that they use ECC keys and our system for .onions was built to only accept RSA keys. They are working on this fix and I will let you know as soon as I can get this order issued with your V3 names included.
Cheers, Mike Tigas https://mike.tig.as/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEGzfVMu3Uhpsce8OaFLh4upXaaEoFAlrffx4ACgkQFLh4upXa aEr9nBAAsBqrj6E1dxBMzrgkXVUnXPJnmdf0uYC3b6vEnDFWMBkxnY+/KymEiDUj fpmcjg4QWOD477SmffygWvF3VBoETnqp8BfqMULLg9qUWQVu1ZsbjRXIpbAO9hxs 6bTkxE/BVsoB5eAd4FrmgvKdSuEu6cLeFcXNH1zQBuSfRTwRfIzrkC7Z6Ak0K6u9 om6ktfgkqKaGBgXwXL4f2qfIIHuq0GmyxktEUNHBNafwysmqIl/0vUg5YmYvshUu /xWp7yrcrQ4E3tri3skCpOJD9Fa8ELBs4qtcbx8BqpbO7QyjKy8VmbpSX6zPjQBi UdyrabtMlY3w0vDYJoB7RIG2Zt5MGbsC5sl8WohhQbP2EzYhpjriYMTMjywTnWYW qFIC7nBY3eGg/YDFII+X4r+4rQGIoW3O3C5frOSD6LfJYfwkUvFL6z/fVHygwixD 0xNvV5YawluEctXVdvUIQPxSPrN3yhkRffZQPBPQm2+2B1GW9fH1FGLP4sI9w+Iq whXpBqo6aR0dLdk/E+aKhkV94ezyYHbnW3jw/5uYpLv/jWMHgBq2w7WPvQvI40yG jir194aiZNKXHtZIy2tmqMtEknRLA2jPRclUdrRiCHBAtht3+350RRZI0oV35gLB 1WThM/aFidyyRN5jBGpOM1lEfnBR0PYmNDQnrg79Wi3wqDNAfK8= =WTCN -----END PGP SIGNATURE-----
On Tue, Apr 24, 2018 at 03:02:16PM -0400, Mike Tigas wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hey y'all,
Just wanted to report in here with a little FYI (since knowing about this may be helpful to some folks here).
I'm in the middle of renewing the cert for https://www.propub3r6espa33w.onion/ and threw a V3 onion into the CSR (since I'll probably tinker with rolling that out at some point later this year). (Also: let's not relitigate whether one should even have such certs for onions; it makes sense in our usecase.) Apparently DigiCert's system currently has issues handling this right now (we went back and forth on weird systems delays during this order), but now they've narrowed down the problem:
The issue with the V3 URIs is that they use ECC keys and our system for .onions was built to only accept RSA keys. They are working on this fix and I will let you know as soon as I can get this order issued with your V3 names included.
Yeah, I saw this case pop-up in a thread about misissuance of TLS certs with onion addresses last month[0] and there was a specific case including a v3 address [1]. Sorry, I should've sent an email about this. Specifically, DigiCert said:
[...] Unfortunately, it looks like the fetch function with v3 is not supported so we'll have to change how we pull and include the descriptor. Since the key is already in the cert, I agree there is nothing gain by including it, but I doubt there's strong incentives to change the guidelines right now. We'll modify to include it.
So this may be a combination of needing new functionality on the CA-side, plus needing controller support on the tor-side (unless they wrote their own), plus whatever else is missing. [0] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/7NzJgDom... [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/7NzJgDomx_M/nycb...
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On April 24, 2018 7:43 PM, Matthew Finkel <matthew.finkel@gmail.com> wrote:
Yeah, I saw this case pop-up in a thread about misissuance of TLS certs
with onion addresses last month[0] and there was a specific case
including a v3 address [1]. Sorry, I should've sent an email about this.
Hmm, the v3 address is mine but no-one has reached out to me to about anything and the cert is still valid.
participants (3)
-
Gareth Llewellyn -
Matthew Finkel -
Mike Tigas