Ballot 144 – Validation rules for .onion names

Ballot overview

• Ballot 144 concerns validation rules for .onion names.
• The ballot page says the ballot passed with 6 Yes votes, 2 No votes, and 13 Abstentions from the CAs, plus 3 Yes votes from the browsers.
• The motion amends the Baseline Requirements and the EV Guidelines to allow issuance and validation for .onion domain names under specified conditions.

Key requirements in the motion

• For Baseline Requirements Section 9.2.1, the CA must confirm control of the FQDN or IP address before issuance.
• The motion states that wildcard FQDNs are permitted.
• The motion requires CAs to notify applicants that certificates containing Reserved IP Addresses or Internal Names are deprecated and will be eliminated by October 2016.
• The motion prohibits issuance of certificates with an expiry date later than 1 November 2015 if they contain a Reserved IP Address or Internal Name.
• Effective 1 October 2016, CAs must revoke all unexpired certificates whose subjectAltName extension or Subject commonName field contains a Reserved IP Address or Internal Name.
• Effective May 1, 2015, each CA must revoke all unexpired certificates with an Internal Name using onion as the right-most label in subjectAltName or commonName unless issued under Appendix F of the EV Guidelines.
• For EV certificates, the motion adds a rule that .onion names in the right-most label require control verification in accordance with Appendix F.
• The motion adds Appendix F for issuance of EV certificates for .onion domain names.
• Appendix F allows issuance only if the CA verifies control of the .onion service using one of the listed methods, including a well-known URL challenge or a signed certificate request using the .onion public key with CA and applicant signing nonces.
• Appendix F allows a wildcard character as the left-most character in the .onion domain name if it complies with Section 11.1.3 of the Baseline Requirements.
• Appendix F limits validity to 15 months for certificates including a .onion domain name in the right-most label.
• Appendix F also states that on or before May 1, 2015, each CA must revoke all certificates with a .onion domain name in the right-most label unless the certificate was issued in compliance with Appendix F.

Dates stated in the ballot

• Review period: 4 February 2015 to 11 February 2015.
• Voting period: immediately after the review period and closing at 2200 UTC on Wednesday, 18 February 2015.
• Effective May 1, 2015: revoke unexpired certificates with Internal Names using onion as the right-most label unless issued under Appendix F.
• Effective 1 October 2016: revoke all unexpired certificates containing a Reserved IP Address or Internal Name.
• October 2016: the deprecation of such certificates is described as being eliminated by that time.
• 1 November 2015: certificates containing a Reserved IP Address or Internal Name may not have an expiry date later than this date.

Result

• The ballot passed.
• The evidence does not provide a separate IPR end date or any exclusion notice information.