An Open Letter to CA/Browser Forum re: Personal Certificates for “.onion”

Ryan, I’d like to take you up on your invitation and request that you forward the following text to the CA/Browser Forum public list, please…


Hi CA/B Forum! I’m a software engineer and one of the authors of RFC 7686; since 2001 I have maintained a personal blog and it’s overdue for a complete software refresh. I want to take advantage of Let’s Encrypt to provide normal HTTPS certificates for the blog, and I want a 100% HTTPS deployment when I am done.

I intend also to provide my blog with an Onion Address, thus my question:

On my blog I do not represent a company – I act purely as an individual; I expect to easily get a “normal” domain-related certificate from Let’s Encrypt, but as an individual I will not be able to get an EV certificate for my Onion Site as mandated by CA/B Forum Ballot 144.

This situation inhibits me from protecting my personal blog’s Onion Site with some form of Onion HTTPS certificate.

It further discriminates against my choice of software deployment as an individual.

Perhaps I could run my blog as HTTP-over-Onion and HTTPS-over-Internet, but this breaks my goal of a 100% HTTPS deployment. Clients of my Onion Site would not have access to HTTPS-only “Secure” cookies and other functionality which browsers today (or will soon) restrict to HTTPS sites, e.g. Camera & Microphone access. This would be an undesirable lack of consistency.

It is not viable to hack the Tor Browser to support an “Onion-only” CA, because only some portion of Tor traffic uses the Tor Browser; non-browser apps which use Tor would not be able take advantage of such a kludge, and thereby would not see the benefit of SSL.

In any case, “.onion” is now an official special-use TLD, and therefore should be supported by official means.

After a hint from Ryan Sleevi – plus referring to the Mozilla CA glossary [1] – I did some research and think that I need either an AV (address validation) or an IV (individual validation) SSL Certificate for my personal blog’s Onion Site.

Discussing likely use cases with Runa Sandvik, we believe that people who use Tor desire (at least) all of privacy, anonymity and integrity. The option that seems most sympathetic to all of these requirements is the AV (address validation) certificate. An AV certificate would provide an Onion Address with an SSL certificate (and thus a form of persistent identity) corresponding simply to an RFC822 email address. This would appear extremely well-suited to users of Onion-backed instant messenger software, such as Ricochet, especially those communicating without reference to “real world” identities.

The alternative of an IV (individual validation) certificate appears closer to the goals of the EV certificate, being a more expensive “absolute identity” certificate that would (per the Glossary) require a Driving License, Passport, or National Identity Card to get. This would be useful for instances where people wish to publicly attest to ownership of what they write / blog / post / publish, but would be less useful e.g. for whistleblowers operating in repressive regimes.

Frankly I see a need for both, and would be (for this case in point) happy to get one of either, but am also open to other alternatives which would not require me to register a company to bootstrap.

So, finally, the question: how may I go about obtaining a suitable, personal, Onion-capable SSL Certificate for my blog, please?

Alec Muffett
London

[1] https://wiki.mozilla.org/CA:Glossary – some extracts follow:

AV (address validation) — Many CAs issue end entity certificates to individuals for use with S/MIME email for which the applicant need only demonstrate that they own and/or control the email address named in the certificate. For example, the owner of the “jdoe@example.com” address could obtain an AV certificate for that address based on their demonstrating to a CA that they owned or controlled the email address in question, e.g., by responding to email addresses sent to an email sent to that address. We can refer to such certificates as address-validated or AV certificates.

More formally we can define AV certificates as certificates containing an emailAddress attribute or Subject Alternative Name extension with a value (or values) apparently corresponding to an RFC 822 email address, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that address in question is owned and/or legitimately controlled by the cert subscriber, and for which the CA makes no claims as to the validity of any individual identity stored in the Common Name attribute of the certificate. Note that “AV” is not a common industry term, but is newly-coined by analogy with “DV”, “IV”, etc. Some people use the term “DV” loosely to cover this case, but arguably it deserves a term of its own.

…and…

IV (individual validation or identity validation) — Many CAs issue end entity certificates to individuals for email, SSL/TLS client authentication, and other uses, for which the applicant is required to supply some sort of evidence as to their identity (e.g., by presenting themselves in person with a copy of their national identity card). These are commonly referred to as identity-validated or IV certificates.

More formally we can define IV certificates as certificates containing a Common Name (CN) attribute with a value apparently corresponding to an actual named individual, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that value corresponds to the individual identity of the certificate subscriber. Note that some people use “IV” as a synonym for “OV” when referring to certificates issued to organizations. However it’s arguably more clear to use “IV” to refer only to certificates issued to individuals.

Note that an IV certificate could also contain an email address in addition to the individual identity information. Mozilla policy requires that email address to be validated to the same or greater degree as for a AV certificate.

Craig: “Are you a libertarian or something, because I’m not sensing any clear political philosophy behind your position?”

Alec: “No, I’m not a libertarian. I’m from the Internet. I’m here to help.

Haz.

Future Identities: Changing identities in the UK: the next 10 years #bis #internet #identity

Link; I have not yet had time to read it but upon skimming it seems almost a sane reflection of how things actually work.  What therefore worries me is that a politician is therefore going to try to stick a stake in the ground to “leverage” this…

This Report provides an important opportunity for the Government to consider how identities in the UK are changing and the possible implications for policy making over the next 10 years. For the first time, it brings together many areas of research into a single coherent narrative to analyse how drivers of change may affect identities in the UK in the future.

The findings are based on the most recent evidence from a wide range of authoritative sources. Over 100 academics and stakeholders have contributed to the development of this Report and the analysis is supported by 20 published evidence papers. I am particularly grateful to the lead expert group, chaired by Professor Chris Hankin, which has overseen the work.

Foresight has undertaken this research in response to growing evidence that the UK has undergone significant changes which affect how people see themselves and others. The economic downturn, the effects of globalisation, and increasing international migration have all been influential, while the impact of social media and modern communications technology have created a new ‘digital’ UK. In particular, the Report discusses an emerging trend towards ‘hyper-connectivity’, where mobile technology and the ubiquity of the internet enable people to be constantly connected across many different platforms. Hyper-connectivity is already removing any meaningful distinction between online and offline identities, while also blurring ‘public’ and ‘private’ identities. The trend could also act to increase the pace of change, leading to more dynamic and changeable identities and behaviours.

This Report shows that ‘identity’ is not a simple notion. People can have many different overlapping identities which are fundamental to their individuality. Identities can exercise a powerful influence on the health and wellbeing of communities, and the degree to which they can build up social capital. There are important implications for a range of policy issues, such as the collection and use of data by government and the private sector, how individual rights and liberties can be balanced against privacy and security, and how inclusive identities can best be promoted.

ht MarkC and BIS

BBC Media Centre: Belle de Jour’s History Of Anon # Radio4, 31 Dec..4 Jan #privacy #anonymity /ht @bmagnanti @openrightsgroup

Belle de Jour’s History Of Anon

A history of anonymity and why writers have sought it, as told by Brooke Magnanti, the real voice behind one of the 21st century’s most famous anonymous texts, Belle de Jour’s Diary Of A London Call Girl.

Brooke explores motivations for remaining masked and the lengths the anonymous have gone to in order to remain unnamed. She draws on her own experiences to reveal how the concept of anonymity has changed – and how both writers and readers have dealt with it. From life or death to juggling open disclosure with the withholding of vital information, Brooke shows us that while we may not know their names, the anonymous have long shaped our worldview.

Presenter/Brooke Magnanti, Producer/Monise Durrani for the BBC

via BBC – Media Centre – Programme Information – Belle de Jour's History Of Anon.