[tor-onions] DigiCert support for V3 onions (for onion EV certs)

[Matthew Finkel]

On Tue, Apr 24, 2018 at 03:02:16PM -0400, Mike Tigas wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hey y'all,
> 
> Just wanted to report in here with a little FYI (since knowing about this may be helpful to some folks here).
> 
> I'm in the middle of renewing the cert for https://www.propub3r6espa33w.onion/ and threw a V3 onion into the CSR (since I'll probably tinker with rolling that out at some point later this year). (Also: let's not relitigate whether one should even have such certs for onions; it makes sense in our usecase.) Apparently DigiCert's system currently has issues handling this right now (we went back and forth on weird systems delays during this order), but now they've narrowed down the problem:
> 
> > The issue with the V3 URIs is that they use ECC keys and our system
> > for .onions was built to only accept RSA keys. They are working on
> > this fix and I will let you know as soon as I can get this order
> > issued with your V3 names included.

Yeah, I saw this case pop-up in a thread about misissuance of TLS certs
with onion addresses last month[0] and there was a specific case
including a v3 address [1]. Sorry, I should've sent an email about this.

Specifically, DigiCert said:

> [...] Unfortunately, it looks like the fetch function with v3 is not
> supported so we'll have to change how we pull and include the
> descriptor. Since the key is already in the cert, I agree there is
> nothing gain by including it, but I doubt there's strong incentives
> to change the guidelines right now. We'll modify to include it.

So this may be a combination of needing new functionality on the
CA-side, plus needing controller support on the tor-side (unless they
wrote their own), plus whatever else is missing.


[0] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/7NzJgDomx_M
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/7NzJgDomx_M/nycbt3QIAwAJ