An Open Letter to CA/Browser Forum re: Personal Certificates for “.onion”

Ryan, I’d like to take you up on your invitation and request that you forward the following text to the CA/Browser Forum public list, please…

Hi CA/B Forum! I’m a software engineer and one of the authors of RFC 7686; since 2001 I have maintained a personal blog and it’s overdue for a complete software refresh. I want to take advantage of Let’s Encrypt to provide normal HTTPS certificates for the blog, and I want a 100% HTTPS deployment when I am done.

I intend also to provide my blog with an Onion Address, thus my question:

On my blog I do not represent a company – I act purely as an individual; I expect to easily get a “normal” domain-related certificate from Let’s Encrypt, but as an individual I will not be able to get an EV certificate for my Onion Site as mandated by CA/B Forum Ballot 144.

This situation inhibits me from protecting my personal blog’s Onion Site with some form of Onion HTTPS certificate.

It further discriminates against my choice of software deployment as an individual.

Perhaps I could run my blog as HTTP-over-Onion and HTTPS-over-Internet, but this breaks my goal of a 100% HTTPS deployment. Clients of my Onion Site would not have access to HTTPS-only “Secure” cookies and other functionality which browsers today (or will soon) restrict to HTTPS sites, e.g. Camera & Microphone access. This would be an undesirable lack of consistency.

It is not viable to hack the Tor Browser to support an “Onion-only” CA, because only some portion of Tor traffic uses the Tor Browser; non-browser apps which use Tor would not be able take advantage of such a kludge, and thereby would not see the benefit of SSL.

In any case, “.onion” is now an official special-use TLD, and therefore should be supported by official means.

After a hint from Ryan Sleevi – plus referring to the Mozilla CA glossary [1] – I did some research and think that I need either an AV (address validation) or an IV (individual validation) SSL Certificate for my personal blog’s Onion Site.

Discussing likely use cases with Runa Sandvik, we believe that people who use Tor desire (at least) all of privacy, anonymity and integrity. The option that seems most sympathetic to all of these requirements is the AV (address validation) certificate. An AV certificate would provide an Onion Address with an SSL certificate (and thus a form of persistent identity) corresponding simply to an RFC822 email address. This would appear extremely well-suited to users of Onion-backed instant messenger software, such as Ricochet, especially those communicating without reference to “real world” identities.

The alternative of an IV (individual validation) certificate appears closer to the goals of the EV certificate, being a more expensive “absolute identity” certificate that would (per the Glossary) require a Driving License, Passport, or National Identity Card to get. This would be useful for instances where people wish to publicly attest to ownership of what they write / blog / post / publish, but would be less useful e.g. for whistleblowers operating in repressive regimes.

Frankly I see a need for both, and would be (for this case in point) happy to get one of either, but am also open to other alternatives which would not require me to register a company to bootstrap.

So, finally, the question: how may I go about obtaining a suitable, personal, Onion-capable SSL Certificate for my blog, please?

Alec Muffett

[1] – some extracts follow:

AV (address validation) — Many CAs issue end entity certificates to individuals for use with S/MIME email for which the applicant need only demonstrate that they own and/or control the email address named in the certificate. For example, the owner of the “” address could obtain an AV certificate for that address based on their demonstrating to a CA that they owned or controlled the email address in question, e.g., by responding to email addresses sent to an email sent to that address. We can refer to such certificates as address-validated or AV certificates.

More formally we can define AV certificates as certificates containing an emailAddress attribute or Subject Alternative Name extension with a value (or values) apparently corresponding to an RFC 822 email address, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that address in question is owned and/or legitimately controlled by the cert subscriber, and for which the CA makes no claims as to the validity of any individual identity stored in the Common Name attribute of the certificate. Note that “AV” is not a common industry term, but is newly-coined by analogy with “DV”, “IV”, etc. Some people use the term “DV” loosely to cover this case, but arguably it deserves a term of its own.


IV (individual validation or identity validation) — Many CAs issue end entity certificates to individuals for email, SSL/TLS client authentication, and other uses, for which the applicant is required to supply some sort of evidence as to their identity (e.g., by presenting themselves in person with a copy of their national identity card). These are commonly referred to as identity-validated or IV certificates.

More formally we can define IV certificates as certificates containing a Common Name (CN) attribute with a value apparently corresponding to an actual named individual, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that value corresponds to the individual identity of the certificate subscriber. Note that some people use “IV” as a synonym for “OV” when referring to certificates issued to organizations. However it’s arguably more clear to use “IV” to refer only to certificates issued to individuals.

Note that an IV certificate could also contain an email address in addition to the individual identity information. Mozilla policy requires that email address to be validated to the same or greater degree as for a AV certificate.

The Daily Beast as seen by Ghostery

Install Ghostery on Chrome or Firefox; this page is particularly impressive:

Screen Shot 2013-05-17 at 08.35.25

Craig: “Are you a libertarian or something, because I’m not sensing any clear political philosophy behind your position?”

Alec: “No, I’m not a libertarian. I’m from the Internet. I’m here to help.


Future Identities: Changing identities in the UK: the next 10 years #bis #internet #identity

Link; I have not yet had time to read it but upon skimming it seems almost a sane reflection of how things actually work.  What therefore worries me is that a politician is therefore going to try to stick a stake in the ground to “leverage” this…

This Report provides an important opportunity for the Government to consider how identities in the UK are changing and the possible implications for policy making over the next 10 years. For the first time, it brings together many areas of research into a single coherent narrative to analyse how drivers of change may affect identities in the UK in the future.

The findings are based on the most recent evidence from a wide range of authoritative sources. Over 100 academics and stakeholders have contributed to the development of this Report and the analysis is supported by 20 published evidence papers. I am particularly grateful to the lead expert group, chaired by Professor Chris Hankin, which has overseen the work.

Foresight has undertaken this research in response to growing evidence that the UK has undergone significant changes which affect how people see themselves and others. The economic downturn, the effects of globalisation, and increasing international migration have all been influential, while the impact of social media and modern communications technology have created a new ‘digital’ UK. In particular, the Report discusses an emerging trend towards ‘hyper-connectivity’, where mobile technology and the ubiquity of the internet enable people to be constantly connected across many different platforms. Hyper-connectivity is already removing any meaningful distinction between online and offline identities, while also blurring ‘public’ and ‘private’ identities. The trend could also act to increase the pace of change, leading to more dynamic and changeable identities and behaviours.

This Report shows that ‘identity’ is not a simple notion. People can have many different overlapping identities which are fundamental to their individuality. Identities can exercise a powerful influence on the health and wellbeing of communities, and the degree to which they can build up social capital. There are important implications for a range of policy issues, such as the collection and use of data by government and the private sector, how individual rights and liberties can be balanced against privacy and security, and how inclusive identities can best be promoted.

ht MarkC and BIS

BBC Media Centre: Belle de Jour’s History Of Anon # Radio4, 31 Dec..4 Jan #privacy #anonymity /ht @bmagnanti @openrightsgroup

Belle de Jour’s History Of Anon

A history of anonymity and why writers have sought it, as told by Brooke Magnanti, the real voice behind one of the 21st century’s most famous anonymous texts, Belle de Jour’s Diary Of A London Call Girl.

Brooke explores motivations for remaining masked and the lengths the anonymous have gone to in order to remain unnamed. She draws on her own experiences to reveal how the concept of anonymity has changed – and how both writers and readers have dealt with it. From life or death to juggling open disclosure with the withholding of vital information, Brooke shows us that while we may not know their names, the anonymous have long shaped our worldview.

Presenter/Brooke Magnanti, Producer/Monise Durrani for the BBC

via BBC – Media Centre – Programme Information – Belle de Jour's History Of Anon.

The privacy of our medical records is being sold off #RossAnderson # At the Guardian and at LightBlueTouchpaper


Medical records are difficult, because they often contain publicly known information mixed in with private stuff: think of Gordon Brown’s eye operations. In a famous case, Harvard professor Latanya Sweeney managed to identify the medical record of the governor of Massachusetts from “anonymous” records released by the Veterans’ Administration.

For years, officials did not want to know. The idea that you could stop worrying about privacy if you just delete people’s names is altogether too seductive. John Major’s government built a database of hospital records with names removed, postcode and date of birth still there – so most patients are easy to identify. After the BMA objected, the Caldicott committee was set up to look into the problem and pointed out that more than 60 information flows in the NHS were illegal. The following Labour government at least did not deny the science, but went for legal fixes. The Data Protection Act 1998 was given a huge loophole: database operators can pretend data are anonymous if they can’t re-identify the records – even if others can.

The privacy of our medical records is being sold off | Ross Anderson | Comment is free | The Guardian

See also the background at the LBT blog:

The government has been pushing for this since last year, having appointed medical datamining enthusiast Tim Kelsey as its “transparency tsar”. There have been two consultations on how records should be anonymised, and how effective it could be; you can read our responses here and here (see also FIPR blog here). Anonymisation has long been known to be harder than it looks (and the Royal Society recently issued a authoritative report which said so). But getting civil servants to listen to X when the Prime Minister has declared for Not-X is harder still!

Despite promises that the anonymity mechanisms would be open for public scrutiny, CPRD refused a Freedom of Information request to disclose them, apparently fearing that disclosure would damage security. Yet research papers written using CPRD data will surely have to disclose how the data were manipulated. So the security mechanisms will become known, and yet researchers will become careless.

Where Identity meets Humanity

  • something you know = a password
  • something you have = a (third-party) credential
  • something you are = a relationship

Dump the middle one.

Copyright (c) Alec Muffett, 2012 🙂

Adriana Lukas – State of the Net 2012 – #YouTube #sotn2012 @adriana872

What I think is wrong with #VRM – HT @nzn @glynmoody @windley @dsearls @adriana872

What I think is currently wrong with VRM, so much so that I’ve essentially dropped out of it – sad, since I was there almost since very early on.

Working backwards:

  1. The fundamental requirements for truly personal platforms are not yet with us. Controlling your data unfortunately means being in physical control of it, or at least of the keys which encrypt it. There are no if’s and’s or but’s about this, alas.
  2. Too many people think in terms of data being (say) owned by the supermarket they have bought stuff from; you have the fact of your purchases already, so the data is already also yours – it’s just terribly inconvenient to scan data in from your receipts, so yes it would be better to demand your purchase history from Tesco/Walmart but this may or may not yield fruit because they also own that data.
  3. VRM as a movement has from the outset been usurped by the “if only people would use our new identity technology then this would all be easy” evangelists. Identity is bogus anyway, but this is particularly egregious solution-in-search-of-a-probleming.
  4. VRM as a movement has from the outset been usurped by the “if only people would use my new startup’s technology then this would all be easy” evangelists. Sometimes this is identity-related, but other times this bleeds into Let’s get everyone to give us their search-histories so we can use magic toolbars to offer them value independent of the corporations! But it’s OKAY for us to be middlemen BECAUSE WE ARE THE GOOD GUYS!
  5. VRM as a movement has from the outset been usurped by the “if only people would give us all our data to keep it safe for them! They can trust us” evangelists; this is for when you don’t want to foist a technology upon the masses but instead want all the data, you find some way to be “ethical” about it and do a data grab anyway. See “it’s OKAY for us to be middlemen BECAUSE WE ARE THE GOOD GUYS” again.

I still believe that the only person who ever understood VRM fully was Adriana Lukas because she realised (in the face of my arguments to the contrary) that it was not about storing data passively but instead about people using, mashing-up and sharing data in ways that they already understand – and critically that the definition of “controlling” data is not a techie-geeky DRM/DLP-like one, but instead a new relationship-oriented means of control that is so simple that people rarely understand the power of it.

As I put it frequently at the time: if you break up with someone then there’s no way to expunge all the embarassing things that they know about you; instead the point is that they don’t find out any further embarassing things. The whip hand is over the ongoing relationship and the mutual ability to terminate it, rather than access to previously-shared digital data which can be cached.

This understanding is why I got into Mine development in the first place[1] and why I implemented it twice-over, and why I understand that what has to happen first is the addressing of point (1) – almost all the software technologies exist, none of them require invention, all we need is a good bidirectional communications infrastructure and wide adoption of the ability by some means to selectively and easily unicast data in a direct point-to-point way, to replicate in the truest sense a “relationship” in the digital domain.

What we don’t need is to rely on identity hierarchies, or FOAF, or I-cards, trusted third parties, legal fictions for non-profit do-gooding, or anything else of that sort.

[1] Watch the first video, and the second if you are a geek; they are worth it

futuristic border-protecting iris-scanner technology, dead?

Technology of tomorrow, tomorrow…

BBC News – Eye scanners at England airports turned off.