← CABF Ballot Browser
SC-027v3 passed

Ballot SC027v3: Version 3 Onion Certificates

Server Certificate Working Group

Key dates

Effective date
19 Feb 2020 6 years ago
Voting opened
12 Feb 2020 6 years ago
Voting closed
19 Feb 2020 6 years ago
Discussion opened
25 Jan 2020 6 years ago
Discussion closed
12 Feb 2020 6 years ago

Resources

GitHub diff https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9 https://github.com/cabforum/documents/compare/16a5a9bb78a193266f8d1465de1ee5a1acf5d184..f7a2dba4a2dd6b7209c71c862ad68dca960b6de9
Mailing list https://lists.cabforum.org/pipermail/public/2014-November/004569.html https://lists.cabforum.org/pipermail/public/2014-November/004569.html
Mailing list https://lists.cabforum.org/pipermail/public/2015-November/006213.html https://lists.cabforum.org/pipermail/public/2015-November/006213.html
Mailing list https://lists.cabforum.org/pipermail/public/2017-November/012451.html https://lists.cabforum.org/pipermail/public/2017-November/012451.html

AI Summary

Generated 2026-06-23 21:29 UTC

Ballot overview

  • Ballot SC027v3, Version 3 Onion Certificates, was proposed by Wayne Thayer of Mozilla and endorsed by Roland Shoemaker of Let’s Encrypt and Dimitris Zacharopoulos of HARICA.
  • The ballot proposed two Final Maintenance Guidelines.
  • It modifies the Baseline Requirements and the EV Guidelines to allow certificates for Version 3 .onion domain names.

What changes were proposed

  • In the Baseline Requirements, the ballot adds a new rule in section 3.2.2.4 so that:
    • FQDNs that do not contain onion as the rightmost label continue to be validated using the existing listed methods.
    • FQDNs that do contain onion as the rightmost label must be validated in accordance with Appendix C.
  • The ballot adds Appendix C to the Baseline Requirements for issuance of certificates for .onion domain names.
  • In the EV Guidelines, the ballot modifies Appendix F so that EV issuance for .onion names may comply with Appendix F or Appendix C of the Baseline Requirements.
  • The ballot states that older version 2 onion addresses are still in use, so it does not remove the existing EV Guidelines requirements for onion names.

Appendix C requirements for .onion names

  • The domain name must contain at least two labels, with onion as the right-most label.
  • The label immediately before onion must be a valid Version 3 Onion Address as defined in the Tor Rendezvous Specification - Version 3.
  • The CA must verify the Applicant’s control over the .onion domain name using at least one of the listed methods:
    • Agreed-Upon Change to Website, with the timelines in section 3.2.2.4 applying if that method is replaced by a newer version.
    • A certificate request signed using the .onion public key, if the request includes a CA-generated caSigningNonce and an Applicant-generated applicantSigningNonce with at least 64 bits of entropy.
  • The Random Value used for the confirming response must remain valid for no more than 30 days from creation, unless the CPS specifies a shorter period.
  • A wildcard character may be included as the left-most character in the .onion domain name in the Subject Alternative Name Extension and Subject Common Name Field, if Section 3.2.2.6 is followed.
  • A certificate containing an FQDN with onion in the right-most label is not considered an Internal Name if it was issued in compliance with Appendix C.

Ballot process and result

  • Discussion period: 25-January 2020 00:00 UTC to 12-February 2020 20:00 UTC.
  • Vote period: 12-February 2020 20:00 UTC to 19-February 2020 20:00 UTC.
  • The ballot page says the voting period has ended and the ballot has Passed.
  • Voting by Certificate Issuers: 15 votes total including abstentions, with 9 Yes, 0 No, and 6 Abstain.
  • Voting by Certificate Consumers: 4 votes total including abstentions, with 4 Yes, 0 No, and 0 Abstain.
  • The page states that the bylaw requirements were met for both Certificate Issuers and Certificate Consumers.
  • The page states quorum was met.
Model: gpt-5.4-mini Confidence: 0.98 Result: passed
Effective date
2020-02-19
Voting opened
2020-02-12
Voting closed
2020-02-19
Discussion opened
2020-01-25
Discussion closed
2020-02-12
Applicability and conditions

2020-02-19 — CAs must validate .onion domain names in accordance with Appendix C before issuance Certificates with one or more RFC 7686 .onion special-use Domain Names; Appendix C applies to .onion FQDNs, while non-.onion FQDNs continue to use the existing validation methods

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

0 Yes
0 No
6 Abstain

0% yes · 0% no · 100% abstain

Proposers

Wayne Thayer of Mozilla and endorsed by Roland Shoemaker of Let’s Encrypt and Dimitris Zacharopoulos of HARICA.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC027v3: Version 3 Onion CertificatesBallot SC027v3: Version 3 Onion CertificatesBallot Results The voting period for Ballot SC27v3 has ended and the Ballot has Passed. Here are the results:

View on cabforum.org → Last fetched 16 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action