An Open Letter to CA/Browser Forum re: Personal Certificates for “.onion”

Ryan, I’d like to take you up on your invitation and request that you forward the following text to the CA/Browser Forum public list, please…

Hi CA/B Forum! I’m a software engineer and one of the authors of RFC 7686; since 2001 I have maintained a personal blog and it’s overdue for a complete software refresh. I want to take advantage of Let’s Encrypt to provide normal HTTPS certificates for the blog, and I want a 100% HTTPS deployment when I am done.

I intend also to provide my blog with an Onion Address, thus my question:

On my blog I do not represent a company – I act purely as an individual; I expect to easily get a “normal” domain-related certificate from Let’s Encrypt, but as an individual I will not be able to get an EV certificate for my Onion Site as mandated by CA/B Forum Ballot 144.

This situation inhibits me from protecting my personal blog’s Onion Site with some form of Onion HTTPS certificate.

It further discriminates against my choice of software deployment as an individual.

Perhaps I could run my blog as HTTP-over-Onion and HTTPS-over-Internet, but this breaks my goal of a 100% HTTPS deployment. Clients of my Onion Site would not have access to HTTPS-only “Secure” cookies and other functionality which browsers today (or will soon) restrict to HTTPS sites, e.g. Camera & Microphone access. This would be an undesirable lack of consistency.

It is not viable to hack the Tor Browser to support an “Onion-only” CA, because only some portion of Tor traffic uses the Tor Browser; non-browser apps which use Tor would not be able take advantage of such a kludge, and thereby would not see the benefit of SSL.

In any case, “.onion” is now an official special-use TLD, and therefore should be supported by official means.

After a hint from Ryan Sleevi – plus referring to the Mozilla CA glossary [1] – I did some research and think that I need either an AV (address validation) or an IV (individual validation) SSL Certificate for my personal blog’s Onion Site.

Discussing likely use cases with Runa Sandvik, we believe that people who use Tor desire (at least) all of privacy, anonymity and integrity. The option that seems most sympathetic to all of these requirements is the AV (address validation) certificate. An AV certificate would provide an Onion Address with an SSL certificate (and thus a form of persistent identity) corresponding simply to an RFC822 email address. This would appear extremely well-suited to users of Onion-backed instant messenger software, such as Ricochet, especially those communicating without reference to “real world” identities.

The alternative of an IV (individual validation) certificate appears closer to the goals of the EV certificate, being a more expensive “absolute identity” certificate that would (per the Glossary) require a Driving License, Passport, or National Identity Card to get. This would be useful for instances where people wish to publicly attest to ownership of what they write / blog / post / publish, but would be less useful e.g. for whistleblowers operating in repressive regimes.

Frankly I see a need for both, and would be (for this case in point) happy to get one of either, but am also open to other alternatives which would not require me to register a company to bootstrap.

So, finally, the question: how may I go about obtaining a suitable, personal, Onion-capable SSL Certificate for my blog, please?

Alec Muffett

[1] – some extracts follow:

AV (address validation) — Many CAs issue end entity certificates to individuals for use with S/MIME email for which the applicant need only demonstrate that they own and/or control the email address named in the certificate. For example, the owner of the “” address could obtain an AV certificate for that address based on their demonstrating to a CA that they owned or controlled the email address in question, e.g., by responding to email addresses sent to an email sent to that address. We can refer to such certificates as address-validated or AV certificates.

More formally we can define AV certificates as certificates containing an emailAddress attribute or Subject Alternative Name extension with a value (or values) apparently corresponding to an RFC 822 email address, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that address in question is owned and/or legitimately controlled by the cert subscriber, and for which the CA makes no claims as to the validity of any individual identity stored in the Common Name attribute of the certificate. Note that “AV” is not a common industry term, but is newly-coined by analogy with “DV”, “IV”, etc. Some people use the term “DV” loosely to cover this case, but arguably it deserves a term of its own.


IV (individual validation or identity validation) — Many CAs issue end entity certificates to individuals for email, SSL/TLS client authentication, and other uses, for which the applicant is required to supply some sort of evidence as to their identity (e.g., by presenting themselves in person with a copy of their national identity card). These are commonly referred to as identity-validated or IV certificates.

More formally we can define IV certificates as certificates containing a Common Name (CN) attribute with a value apparently corresponding to an actual named individual, for which the CA makes claims (e.g., in the CPS) that it has in some way validated that that value corresponds to the individual identity of the certificate subscriber. Note that some people use “IV” as a synonym for “OV” when referring to certificates issued to organizations. However it’s arguably more clear to use “IV” to refer only to certificates issued to individuals.

Note that an IV certificate could also contain an email address in addition to the individual identity information. Mozilla policy requires that email address to be validated to the same or greater degree as for a AV certificate.

Why is BT charging me for services that they tell me are free/included?

I prepaid for an entire year of line rental and only use it for DSL; so compare:

Screen Shot 2013-11-24 at 20.45.45


Screen Shot 2013-11-24 at 20.50.12


Screen Shot 2013-11-24 at 20.52.05

…when, further, I saw this happening a few months ago (July? August?) and unsubscribed from those services; as I see it, I should not be being billed anything either because I unsubscribed from the services, or simply because I am promised that I “get the features with no extra cost”.

This is misrepresentation.

So @BoingBoing has apparently gone puerile and forgotten the bigger picture /cc @doctorow

I like Boing-Boing, I’ve read it for years. I’ve met Cory several times as part of my work to help the Open Rights Group. I am generally sympathetic to a lot of the posts which are posted there.

I like the blog.

So yesterday there was something in the BoingBoing twitterfeed – a Disney Winnie-the-Pooh, meant to mock Richard Dawkins for having posted something about the TSA doing the pointless things that the TSA do, viz: taking away harmless things from you at airports:

Yes Richard’s a brusque character and a pain in the arse as far as some people are concerned; but still this is a notable, useful and blatant piece of security theatre, about which BB has written at length.

I feel that the war on the war on terrorism should win over nerdy character assassination, so I tweeted my – relatively modest – thoughts about this, to be met with a reaction which I’d describe as “apparently puerile”:

Being ignored would have been more mature response than this, I’d even half expect that.

But that’s not the weird thing.

The weird thing is that I checked my Google Docs this evening to find that Mark Frauenfelder has shared with me a “public” Google Doc entitled:

“People who are disappointed with Boing Boing”


Screen Shot 2013-11-06 at 00.26.14

My name is not on it, there is no explanation why he has shared it with me. Does he expect me to edit myself onto it? Am I supposed to see it and understand that I and a handful of others are “alone” in our criticism? Is this some sort of shit-list? A list of uncool people?

I can only suppose in the light of the childishness of the exchange last night that to understand the intent I would have to reach into my memory of pre-pubescence.

What the fuck, Boing-Boingers? You’re meant to be the cool people – and, mostly, the hip ones too? Perhaps you’re a collective rather than an organisation, but this action of whomever many speaks ill of your brand.

People who are disappointed with Boing Boing – Google Drive

Quote of the Day:

Person A, quoting Mark Twain:

“Never pick a fight with someone who buys ink by the barrel.”

Person B:

“In 2013, I think egress bandwidth may trump ink.”

Muffett’s Personal Opinion on the Cyber Volunteer Force

A friend of mine asked me about the UK’s mooted Cybersecurity “volunteer” force; this is approximately how I responded:

The Cyber-Force thing is simultaneously scary, tragic and amusing; Iain Lobban – Director of GCHQ – has been heard to lament that they cannot afford to pay for geeks:

…that essentially they can’t compete with private sector industry for salaries and conditions.

The truth is a little more complex and a little less clear-cut than that.

From my modest experience of the demographic – dating from around 1994 to the present day – the UK defence establishment has subsisted by chewing-up public spirited geeks who were willing to trade shitty pay for unfireable job-security and an index-linked civil service pension from age ~55ish, thence to buy a cottage in Cornwall, or Provence or something.

The unfireable pension opportunity has now evaporated and DERA (the Defence Evaluation and Research Agency) which provided the hinterland of geeks for GCHQ was largely privatised as Qinetiq – significant numbers have left that – plus computing is now sexy again, so suddenly a lot of the UK’s core security expertise is going into private hands.

You know my perspective on “cyber”[1] – that it is a framing of the debate to launder:

  • interception/monitoring/snooping
  • filtering/blocking/censorship
  • public relations/propaganda, and …
  • expansion of state regulation opportunity

…as a necessary new military activity in a new “domain” – the domain of “communications” – which they call “cyber” because calling it communications would be too obviously unmilitary for people to bear.

Not to mention that honesty would sound too “Orwellian”.

However the good manpower is now off earning loadsamoney with either:

  1. “Big Data”, or…
  2. “Silicon Roundabout Startups” – which are sacrosanct because they may save the economy and the DTI is currently behind them.

…and therefore GCHQ are calling for volunteer cyberwarrior do-gooders.

If in one scenario this is not terrifying to normal people then it bloody well ought to be, if only for the example of “LOVEINT” at the NSA:

…because if the best-funded cyberagency in the world has significant spy-on-your-ex-lover issues, what the hell will happen when you let loose a bunch of volunteers on the spook-internal databases of the UK?

There would be rather more “snoop on your mate’s ex-girlfriend” than “Edward Snowden” activity, to be sure.

But let’s instead imagine that GCHQ are not fools and that the volunteers are kept at a discreet arm’s length from the datacentre at Cheltenham; what then? Will you have a bunch of volunteers going around to BNFL and setting up firewalls for nuclear power stations? Or trying to hack into the National Grid? I think they’re already equipped.

What will they be doing, and will they actually be any good at it? And whom will they be depriving of a paid job in the interim? Answers: they won’t be sure, not terribly, and possibly themselves.

I’ve spoken with a competition winner from the GCHQ “UK Cyber Champion” contest and it seems that even if they really like you as a person, the public sector does not have the culture to employ creative, individualistic, modern computer people.

So I think they are in trouble; and you can’t justify the budgets if you can’t get the staff.

If I was to suggest a way out for GCHQ and the Government it would be to stop fretting about process so much, stop throwing money at the big defence contractors and instead engage directly with smaller parties in the private sector.

But that will never happen on the scale which it needs to. Alas.

[1] my perspective on cyber:

The cost of UK Cybercrime was not £27bn – Hansard

Told you so…

Chi Onwurah (Newcastle upon Tyne Central, Labour)

Let us look at cyber-statistics. In answer to my parliamentary question, the Minister put the cost of cybercrime at £27 billion, but that turns out to be a 2010 “guestimate” from defence company Detica. The National Audit Office misused Cambridge university figures, managing to confuse pounds with dollars. We all know that online crime is rising, but the Government rely on outdated third-party figures. Is he surprised that the public do not trust the Government’s efforts to fight cybercrime, given that they clearly cannot even measure it?

Source; also, the Cabinet Office are throwing it under a bus:

I am writing to advise you that following a search of our paper and electronic records, I have established that the information you requested is not held by the Cabinet Office.

The £27 billion per annum figure is not our figure but comes from a BAE Systems/Detica report. We do not hold any information about how this figure was arrived at.

End days for Cyberfear?

Have logged this with @Jawbone about a bug with Big Jambox; let’s see what they do.

Hi Guys!

I am running a software-updated 11-inch, Mid 2011 MacBook Air and using my Big Jambox. For reference I am a Unix system programmer and developer with 25 years of experience, so if you want to talk to me using quite long technical words, I am very happy.

Long story short: I have paired and re-paired, software updated, and connected-via-USB-and-wiped-all-the-pairings-and-again-paired my Big Jambox with my Macbook Air, and yet STILL it refuses to play sound from my Mac whilst the Sound Preferences are set to STEREO “Bluetooth Headphones” (my emphasis) – but it is really well behaved and plays well as non-stereo Bluetooth Headphones… except it just sounds like crap.

So, to recap:

1) I go to System Preferences > Sound, while paired.

2) If I select “Alec M Jambox .. Bluetooth Headphones” => okay but low rez mono audio

3) If I select “Alec M Jambox Stereo .. Bluetooth Headphones” => does not work at all, no audio, silence. Makes a depressing “bloop” noise when I select it, then silence. Selecting back to non-stereo and it start playing again immediately.

Syslog says this when I switch it to Stereo mode:

Sep 13 21:11:06 mistral.local coreaudiod[147] : Enabled automatic stack shots because audio IO is inactive
Sep 13 21:11:06 mistral kernel[0] : REQUIRE_NO_ERR_GOTO_ACTION failure: 0xe00002c0 – file: /SourceCache/IOBluetoothFamily_kexts/IOBluetoothFamily-4140.4.2/Core/Family/Drivers/IOBluetoothSCOAudioDriver/IOBluetoothSCOAudioEngine.cpp:550
— last message repeated 1 time —
Sep 13 21:11:08 mistral.local coreaudiod[147] : Disabled automatic stack shots because audio IO is active

…at which point it goes silent. When I switch it back to mono audio playback I get this:

Sep 13 21:11:59 mistral.local coreaudiod[147] : Enabled automatic stack shots because audio IO is inactive
Sep 13 21:11:59 mistral.local coreaudiod[147] : Disabled automatic stack shots because audio IO is active
Sep 13 21:11:59 mistral kernel[0] : [AppleBluetoothHCIControllerUSBTransport][HandleIsochData] — Error: 0xE000400F (kIOUSBMessagePortWasNotSuspended)
Sep 13 21:11:59 mistral kernel[0] : E:[AppleBluetoothHCIControllerUSBTransport][AppleBluetoothHCIControllerUSBTransport::HandleIsochData] error 0xe000400f (kIOUSBMessagePortWasNotSuspended) — Isoch In pipe

….and then it springs into lo-fi life.

It’s deeply vexing not to be able to use the Big Jambox over bluetooth properly. I am, I repeat, running the latest 10.8 OSX patches, and have run Disk Utility permissions-checking to ensure nothing is untoward in /dev. Looks like a driver issue to me.

Any idea how I can fix this, please?

I am still trying to work out what happened to the Guardian’s followup Clegg article

So Googling for the relevant phrase yields this:

Screen Shot 2013-08-25 at 13.29.09


Mousing over the “Nick Clegg queries…” link at the top yields the link illustrated at the bottom; but when you click through to Nicholas Watt’s article it does not use the word “intent” or any other of the relevant text. I am trying to establish whether the matching search text comes from the original article or somehow from comments, or similar, on Watt’s posting.

Or, it may too have been edited.  But silently. Not sure yet.

Apparently the Deputy PM thinks Anti-Terrorism Legislation is fairly used to retrieve/destroy classified data #Miranda

Interesting. Nick Clegg’s recent (friday evening) posting in the Guardian has been amended, saying:

This article was amended at 21.05 BST for legal reasons

Why would that be? Well a blogger notes:

Really, I don’t think I need say any more than point this out; and if the comment has been culled “for legal reasons”, all the more reason to highlight what was formerly said and presumably thought, I feel…

See also Reddit and just google the phrase to watch for a cascade of edits in other forums.

A simple rebuttal to @cguitton’s attempt to trash Tor Hidden Services /cc @torproject

There’s this paper by this guy at KCL.

That he’s posted it on Dropbox is both relevant and ironic.

In it, and in his Twitter feed, he argues essentially that Tor is OK-ish, but promotes anonymity – which he sees as “bad” – and Tor Hidden Services are intolerable and should “no longer be developed” because they promote so many bad things.

There are a bunch of arguments one could have about morality, privacy, anonymity, etc; but that’s playing the game in the expected fashion, leading to much postmodern posing and wastage of breath; so I will try a different, more Turingesque machine-based approach.

It’s very simple:

Strategically there is no communications difference between Tor, and Tor Hidden Services; what do I mean by this? I mean that both are simply forms of communication, and all forms of communication are functionally interchangable. To explain:

Tor mirrors the Internet and provides a connected graph of nodes which can communicate peer-to-peer; Tor Hidden Services provide a client-server model akin to the Web which runs atop the Internet.

If we are talking about access to data at rest – then we can provide such access in both models; with peer-to-peer networks we use Content-Based Addressing (a-la “Magnet Links” on Bittorrent) and on client-server networks we use Resource-Based Addressing (a-la URLs on the Web)

If we are talking about access to data in motion – then we can also provide such access in both models; with peer-to-peer communications (Skype, Bittorrent, E-Mail, USENET) – which may be synchronous (VoIP) or not (store-and-forward); and on client-server networks we historically just emulate the endpoints of peer-to-peer communication (E-mail becomes IMAP).

If data is not at rest or in motion, what is it?

So: there are two sorts of data and two communications mechanisms which are equivalent, merely using alternate addressing strategies* to distinguish them; with this understanding there is no way to choose one over another, nor reject one as “bad” while the other is “ok” or “good”.

Therefore, when one is dismissing a communications mechanism as bad, one is not talking about the medium, because all communications media are technically equivalent.

Instead, one is talking about the message. Therefore one is talking about censorship.

Welcome to your new role, Clement. Censor. QED.

Also, Dropbox, really? That’s not a proper webserver at all. If anything, it’s a peer-to-peer network with hierarchical backing storage and distributed web-emulating frontends.

* Another example:

  • Resource based addressing: “third shelf, fourth book along”
  • Content based addressing: “says it’s authored by Dickens, begins with ‘It was the best of times, it was the worst of times…'”

Do you know what it is, yet?