An Open Letter to CA/Browser Forum re: Personal Certificates for “.onion”

Ryan, I’d like to take you up on your invitation and request that you forward the following text to the CA/Browser Forum public list, please…


Hi CA/B Forum! I’m a software engineer and one of the authors of RFC 7686; since 2001 I have maintained a personal blog and it’s overdue for a complete software refresh. I want to take advantage of Let’s Encrypt to provide normal HTTPS certificates for the blog, and I want a 100% HTTPS deployment when I am done.

I intend also to provide my blog with an Onion Address, thus my question:

On my blog I do not represent a company – I act purely as an individual; I expect to easily get a “normal” domain-related certificate from Let’s Encrypt, but as an individual I will not be able to get an EV certificate for my Onion Site as mandated by CA/B Forum Ballot 144.

This situation inhibits me from protecting my personal blog’s Onion Site with some form of Onion HTTPS certificate.

It further discriminates against my choice of software deployment as an individual.

Perhaps I could run my blog as HTTP-over-Onion and HTTPS-over-Internet, but this breaks my goal of a 100% HTTPS deployment. Clients of my Onion Site would not have access to HTTPS-only “Secure” cookies and other functionality which browsers today (or will soon) restrict to HTTPS sites, e.g. Camera & Microphone access. This would be an undesirable lack of consistency.

It is not viable to hack the Tor Browser to support an “Onion-only” CA, because only some portion of Tor traffic uses the Tor Browser; non-browser apps which use Tor would not be able take advantage of such a kludge, and thereby would not see the benefit of SSL.

In any case, “.onion” is now an official special-use TLD, and therefore should be supported by official means.

After a hint from Ryan Sleevi – plus referring to the Mozilla CA glossary [1] – I did some research and think that I need either an AV (address validation) or an IV (individual validation) SSL Certificate for my personal blog’s Onion Site.

Discussing likely use cases with Runa Sandvik, we believe that people who use Tor desire (at least) all of privacy, anonymity and integrity. The option that seems most sympathetic to all of these requirements is the AV (address validation) certificate. An AV certificate would provide an Onion Address with an SSL certificate (and thus a form of persistent identity) corresponding simply to an RFC822 email address. This would appear extremely well-suited to users of Onion-backed instant messenger software, such as Ricochet, especially those communicating without reference to “real world” identities.

The alternative of an IV (individual validation) certificate appears closer to the goals of the EV certificate, being a more expensive “absolute identity” certificate that would (per the Glossary) require a Driving License, Passport, or National Identity Card to get. This would be useful for instances where people wish to publicly attest to ownership of what they write / blog / post / publish, but would be less useful e.g. for whistleblowers operating in repressive regimes.

Frankly I see a need for both, and would be (for this case in point) happy to get one of either, but am also open to other alternatives which would not require me to register a company to bootstrap.

So, finally, the question: how may I go about obtaining a suitable, personal, Onion-capable SSL Certificate for my blog, please?

Alec Muffett
London

[1] https://wiki.mozilla.org/CA:Glossary – some extracts follow:

AV (address validation) — Many CAs issue end entity certificates to individuals for use with S/MIME email for which the applicant need only demonstrate that they own and/or control the email address named in the certificate. For example, the owner of the “jdoe@example.com” address could obtain an AV certificate for that address based on their demonstrating to a CA that they owned or controlled the email address in question, e.g., by responding to email addresses sent to an email sent to that address. We can refer to such certificates as address-validated or AV certificates.

More formally we can define AV certificates as certificates containing an emailAddress attribute or Subject Alternative Name extension with a value (or values) apparently corresponding to an RFC 822 email address, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that address in question is owned and/or legitimately controlled by the cert subscriber, and for which the CA makes no claims as to the validity of any individual identity stored in the Common Name attribute of the certificate. Note that “AV” is not a common industry term, but is newly-coined by analogy with “DV”, “IV”, etc. Some people use the term “DV” loosely to cover this case, but arguably it deserves a term of its own.

…and…

IV (individual validation or identity validation) — Many CAs issue end entity certificates to individuals for email, SSL/TLS client authentication, and other uses, for which the applicant is required to supply some sort of evidence as to their identity (e.g., by presenting themselves in person with a copy of their national identity card). These are commonly referred to as identity-validated or IV certificates.

More formally we can define IV certificates as certificates containing a Common Name (CN) attribute with a value apparently corresponding to an actual named individual, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that value corresponds to the individual identity of the certificate subscriber. Note that some people use “IV” as a synonym for “OV” when referring to certificates issued to organizations. However it’s arguably more clear to use “IV” to refer only to certificates issued to individuals.

Note that an IV certificate could also contain an email address in addition to the individual identity information. Mozilla policy requires that email address to be validated to the same or greater degree as for a AV certificate.

Why is BT charging me for services that they tell me are free/included?

I prepaid for an entire year of line rental and only use it for DSL; so compare:

Screen Shot 2013-11-24 at 20.45.45

With:

Screen Shot 2013-11-24 at 20.50.12

And:

Screen Shot 2013-11-24 at 20.52.05

…when, further, I saw this happening a few months ago (July? August?) and unsubscribed from those services; as I see it, I should not be being billed anything either because I unsubscribed from the services, or simply because I am promised that I “get the features with no extra cost”.

This is misrepresentation.

So @BoingBoing has apparently gone puerile and forgotten the bigger picture /cc @doctorow

I like Boing-Boing, I’ve read it for years. I’ve met Cory several times as part of my work to help the Open Rights Group. I am generally sympathetic to a lot of the posts which are posted there.

I like the blog.

So yesterday there was something in the BoingBoing twitterfeed – a Disney Winnie-the-Pooh, meant to mock Richard Dawkins for having posted something about the TSA doing the pointless things that the TSA do, viz: taking away harmless things from you at airports:

Yes Richard’s a brusque character and a pain in the arse as far as some people are concerned; but still this is a notable, useful and blatant piece of security theatre, about which BB has written at length.

I feel that the war on the war on terrorism should win over nerdy character assassination, so I tweeted my – relatively modest – thoughts about this, to be met with a reaction which I’d describe as “apparently puerile”:

Being ignored would have been more mature response than this, I’d even half expect that.

But that’s not the weird thing.

The weird thing is that I checked my Google Docs this evening to find that Mark Frauenfelder has shared with me a “public” Google Doc entitled:

“People who are disappointed with Boing Boing”

Screencap:

Screen Shot 2013-11-06 at 00.26.14

My name is not on it, there is no explanation why he has shared it with me. Does he expect me to edit myself onto it? Am I supposed to see it and understand that I and a handful of others are “alone” in our criticism? Is this some sort of shit-list? A list of uncool people?

I can only suppose in the light of the childishness of the exchange last night that to understand the intent I would have to reach into my memory of pre-pubescence.

What the fuck, Boing-Boingers? You’re meant to be the cool people – and, mostly, the hip ones too? Perhaps you’re a collective rather than an organisation, but this action of whomever many speaks ill of your brand.

[PDF]
People who are disappointed with Boing Boing – Google Drive

Quote of the Day:

Person A, quoting Mark Twain:

“Never pick a fight with someone who buys ink by the barrel.”

Person B:

“In 2013, I think egress bandwidth may trump ink.”

Have logged this with @Jawbone about a bug with Big Jambox; let’s see what they do.

Hi Guys!

I am running a software-updated 11-inch, Mid 2011 MacBook Air and using my Big Jambox. For reference I am a Unix system programmer and developer with 25 years of experience, so if you want to talk to me using quite long technical words, I am very happy.

Long story short: I have paired and re-paired, software updated, and connected-via-USB-and-wiped-all-the-pairings-and-again-paired my Big Jambox with my Macbook Air, and yet STILL it refuses to play sound from my Mac whilst the Sound Preferences are set to STEREO “Bluetooth Headphones” (my emphasis) – but it is really well behaved and plays well as non-stereo Bluetooth Headphones… except it just sounds like crap.

So, to recap:

1) I go to System Preferences > Sound, while paired.

2) If I select “Alec M Jambox .. Bluetooth Headphones” => okay but low rez mono audio

3) If I select “Alec M Jambox Stereo .. Bluetooth Headphones” => does not work at all, no audio, silence. Makes a depressing “bloop” noise when I select it, then silence. Selecting back to non-stereo and it start playing again immediately.

Syslog says this when I switch it to Stereo mode:

Sep 13 21:11:06 mistral.local coreaudiod[147] : Enabled automatic stack shots because audio IO is inactive
Sep 13 21:11:06 mistral kernel[0] : REQUIRE_NO_ERR_GOTO_ACTION failure: 0xe00002c0 – file: /SourceCache/IOBluetoothFamily_kexts/IOBluetoothFamily-4140.4.2/Core/Family/Drivers/IOBluetoothSCOAudioDriver/IOBluetoothSCOAudioEngine.cpp:550
— last message repeated 1 time —
Sep 13 21:11:08 mistral.local coreaudiod[147] : Disabled automatic stack shots because audio IO is active

…at which point it goes silent. When I switch it back to mono audio playback I get this:

Sep 13 21:11:59 mistral.local coreaudiod[147] : Enabled automatic stack shots because audio IO is inactive
Sep 13 21:11:59 mistral.local coreaudiod[147] : Disabled automatic stack shots because audio IO is active
Sep 13 21:11:59 mistral kernel[0] : [AppleBluetoothHCIControllerUSBTransport][HandleIsochData] — Error: 0xE000400F (kIOUSBMessagePortWasNotSuspended)
Sep 13 21:11:59 mistral kernel[0] : E:[AppleBluetoothHCIControllerUSBTransport][AppleBluetoothHCIControllerUSBTransport::HandleIsochData] error 0xe000400f (kIOUSBMessagePortWasNotSuspended) — Isoch In pipe

….and then it springs into lo-fi life.

It’s deeply vexing not to be able to use the Big Jambox over bluetooth properly. I am, I repeat, running the latest 10.8 OSX patches, and have run Disk Utility permissions-checking to ensure nothing is untoward in /dev. Looks like a driver issue to me.

Any idea how I can fix this, please?