[DNSOP] draft-appelbaum-dnsop-onion-tld-01 update (Was: Interim Meeting on Special Names and RFC 6761)

Alec Muffett <alecm@fb.com> Tue, 14 April 2015 20:28 UTC

Return-Path: <prvs=1546002ce3=alecm@fb.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 8B3191B2A43 for <dnsop@ietfa.amsl.com>; Tue, 14 Apr 2015 13:28:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.966
X-Spam-Status: No, score=-0.966 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id sxTWRtuk1nDn for <dnsop@ietfa.amsl.com>; Tue, 14 Apr 2015 13:28:53 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C7471B2A45 for <dnsop@ietf.org>; Tue, 14 Apr 2015 13:28:53 -0700 (PDT)
Received: from pps.filterd (m0044010 []) by mx0a-00082601.pphosted.com (8.14.5/8.14.5) with SMTP id t3EKPLkm020458; Tue, 14 Apr 2015 13:28:52 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=/JdqAOW/n3jNxBfNRMoqfNg9XbvNqkknx1onsvA7S3M=; b=d01rZyU3z/Wn8iq57uMohE7pbiNiJOB5Q54s2gvfEMoUsv4zmbK0thPsINSbSPE5NjEO NbMGqUiLDYyJp3ebIGmmFVrjyIMEmL49+0BCY6iOZmL4pS4puW8mnSWpsrZYr8puZmET Xwadg3STUzHqrMx6llGiX20CKDnhCVa4oAo=
Received: from mail.thefacebook.com ([]) by mx0a-00082601.pphosted.com with ESMTP id 1ts8vw041e-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 14 Apr 2015 13:28:52 -0700
Received: from PRN-MBX02-4.TheFacebook.com ([]) by PRN-CHUB02.TheFacebook.com ([fe80::5de8:34:5a87:6990%12]) with mapi id 14.03.0195.001; Tue, 14 Apr 2015 13:28:50 -0700
From: Alec Muffett <alecm@fb.com>
To: dnsop <dnsop@ietf.org>
Thread-Topic: draft-appelbaum-dnsop-onion-tld-01 update (Was: [DNSOP] Interim Meeting on Special Names and RFC 6761)
Thread-Index: AQHQdvGefrf4eLffw06H9eHzR7fcSw==
Date: Tue, 14 Apr 2015 20:28:50 +0000
Message-ID: <07AA6770-816B-491C-A34D-8C3724767DFF@fb.com>
References: <20150330022211.E63E9AE3F9@smtp.postman.i2p> <20150409024829.70D59AE3FE@smtp.postman.i2p> <55260AD5.8020805@gmail.com> <D8AB191B-EBCE-41DE-AF02-83CE7B155B46@vpnc.org> <CAHw9_iKtOSovrVS6eAGKzHTS4Wmwb52D1zPbT=VF+8_ELdLM6w@mail.gmail.com>
In-Reply-To: <CAHw9_iKtOSovrVS6eAGKzHTS4Wmwb52D1zPbT=VF+8_ELdLM6w@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/signed; boundary="Apple-Mail=_0D5F667C-EC10-4E9E-B169-22631085191E"; protocol="application/pgp-signature"; micalg=pgp-sha512
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-04-14_06:2015-04-14,2015-04-14,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/eQu-slItK8-qxaIWx4y1F7puxKA>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, Richard Barnes <rlb@ipv.sx>, Mark Nottingham <mnot@mnot.net>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: [DNSOP] draft-appelbaum-dnsop-onion-tld-01 update (Was: Interim Meeting on Special Names and RFC 6761)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 20:28:55 -0000

On Apr 14, 2015, at 1:02 PM, Warren Kumari <warren@kumari.net> wrote:
> Hopefully one that will for for those folk who a: live in Europe and /
> or b: will be at DNS-OARC and the DNS track at RIPE...
> Seeing as Interims are supposed to be announced >=30 days in the
> future I'm guessing not the 14th of May…

Hi All,

Per this topic, I have uploaded v-01 of draft-appelbaum-dnsop-onion-tld; differences are viewable at:

http://www.ietf.org/rfcdiff?url1=draft-appelbaum-dnsop-onion-tld-00&url2=draft-appelbaum-dnsop-onion-tld-01 <http://www.ietf.org/rfcdiff?url1=draft-appelbaum-dnsop-onion-tld-00&url2=draft-appelbaum-dnsop-onion-tld-01>

…and the diff largely consists of some technical simplification, thanks & acknowledgements, and typos.

I would also like to take this opportunity to correct a timeline for the potential death of existing “.onion” TLD certificates in the instance that the “.onion" special use domain is not registered in the near-to-medium term; this correction arises from a misunderstanding on my part of the results of CA/B Forum Ballot 144, and is not a substantial error (off by one month) but I would like it to be clear for all interested parties.


== Summary ==

All “.onion” SSL certificates will be revoked if “.onion” is not approved as a special use TLD on/by November 1st 2015; if “.onion" is approved then the certificates will persist without action being required.

= Timeline =

== March 2014 ==

CA/B Forum approve Ballot 144, paving a route to “proper” SSL Certificates for Onion Sites

== Current Day Goes Here ==

Hello world.

== 1 May 2015 ==

All existing ".onion” SSL Certificates which were issued under the “local names” exception “must” be revoked by their issuer, the expectation being that the certificate holder will receive a new Ballot-144-compliant “EV” Onion certificate.  This is what i was not formerly clear regarding, and see below because...

== 1 October 2015 ==

The "Local Names” exception, under which SSL Onion certificates were originally issued, dies; this will doubly-kill all the Onion certificates, however the Ballot-144-compliant “EV” Onion certificates have until…

== 1 November 2015 ==

…which is the CA/B Forum “deadline” for IETF to approve “.onion” as a TLD; if “.onion” is not approved by this time then the certs will be “turned off” / killed by the certificate authorities.

Alec Muffett
Security Infrastructure
Facebook Engineering