Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Let's Encrypt

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Let's Encrypt


Chronological Thread 
  • From: Calum McAlinden <calum AT mcalinden.me.uk>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] Let's Encrypt
  • Date: Mon, 04 Apr 2016 14:17:57 +0100

It looks as though .onion has been designated a special-use top level domain by the IETF and IANA (https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml), allowing DigiCert to issue certificates. Personally, I think given the current status of OpenNIC, it is unlikely that the TLDs would be designated special use TLDs at present.

On Mon, 4 Apr, 2016 at 1:31 PM, Michel Le Bihan <michel AT lebihan.pl> wrote:
AFAIK DigiCert is issuing certificates for .onion domains...

Le 4 avril 2016 14:25:50 GMT+02:00, Blixa Morgan <blixa AT projectmakeit.com> a écrit :

Fair enough.  I didn't know if they were bound to those requirements or not.


On Mon, Apr 4, 2016, 04:07 Calum McAlinden <calum AT mcalinden.me.uk> wrote:
I don't think this would work. Validation of ICANN domains only is probably a requirement for certificate authorities to be included in major browsers and operating systems. If Let's Encrypt were to issue certificates to any non ICANN domain, they would be removed from major browsers and this would render the certificates about as useful as CAcert's.

On Mon, 4 Apr, 2016 at 6:44 AM, Blixa Morgan <blixa AT projectmakeit.com> wrote:
Actually, from a cert signing side, Let's encrypt should have a master cert that is valid for anything, including non-icann domains.  What would prevent it from working is their domain validation service, which will attempt to connect to the domain name before approving the certificate.  Since they do not currently use opennic on their let's encrypt servers, they would get a DNS failure.

So all we would need to do is get them to set up a validation server that uses opennic, and all should be good.

On Sun, Apr 3, 2016, 17:59 Carlo Stemberger <carlo.stemberger AT gmail.com> wrote:
2016-04-03 21:42 GMT+02:00 Neal J. de Waard <inewbcake AT gmail.com>:
No, they cannot issue certs to domains under TLDs not recognized by ICANN

That's a pity. I see two possible solutions:

1) convince them to certify (at least) OpenNIC domains
2) create an alternative and convince Mozilla, Google etc. to consider their certificates as valid

Ciao!

Carlo


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
--

-------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
--

-------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org



Archive powered by MHonArc 2.6.19.

Top of Page