Sign in
Create Account
CA / B Forum clarified rules for issuing SSL certificates for .onion domains
It was recently announced that CA / B Forum, the regulator of the SSL industry has adopted a new provision: it became mandatory to include the Tor Service Descriptor Hash extension in TBSCertificate. Now the certifying authority can issue an EV certificate for the .onion domain name only after complying with two of the following rules:
- The certification authority must include the CA/B Forum extension in TBSCertificate to pass the hashes of the keys associated with .onion addresses.
- The certification authority must include the Tor Service Descriptor Hash extension in the following format:
cabf-TorServiceDescriptorHash OBJECT IDENTIFIER ::= { 2.23.140.1.31 }
TorServiceDescriptorHash:: = SEQUENCE {
algorithm AlgorithmIdentifier
subjectPublicKeyHash BIT STRING }
Here AlgorithmIdentifier is the hashing algorithm defined in RFC 6234. This algorithm is performed on an unprocessed public key in the .onion service.
SubjectPublicKeyHash is the hash value of the unprocessed public key.
The proposed changes have added the extended validation rules adopted by the CA / B Forum. For this change, 9 certification authorities are voted with 4 abstentions, and 4 browser manufacturers.
About .onion domains
Domains .onion are used in Tor to hide personal data, location and behavior on the web. Tor is designed to protect confidential information online. A deep web with restrictions for indexing and searching, has about 500 times more sites in comparison to an open web. Very often .onion sites are used to store databases, as well as for the activities of government agencies, educational institutions and private companies.
Since the deep web is mostly isolated, it is difficult for users to determine whether they are on the genuine .onion website. A public SSL certificate makes it easier for users to ensure that they are on the genuine site.
You can always order SSL certificates for .onion domains in our store.
