Darknet Cleanup: .onion Sites Now Require Digital Certificates

By Riley ThompsonTechnology News

Darknet Cleanup: .onion Sites Now Require Digital Certificates

The CA/Browser Forum alliance has updated its requirements for certification authorities (CAs) and audit processes, introducing new rules for issuing certificates for .onion domains. These changes aim to strengthen control, transparency, and security within the public key infrastructure (PKI).

Obligations and Auditing of Certification Authorities

Under the new requirements, each CA must:

  • Comply with current standards and undergo audits within specified timeframes.
  • Obtain a license in every jurisdiction where it is legally required.
  • Ensure adherence to the Certificate Policy (CP) and Certification Practice Statement (CPS).

If a CA issues certificates that can be used to create new certificates, they must be technically restricted (as outlined in sections 7.1.2.3–7.1.2.5 of the requirements) or undergo a full audit. Each certificate issuance period must be accompanied by an audit, conducted at least once a year. If there is no current audit report, a readiness assessment must be performed before issuing certificates.

Auditing and Auditor Qualifications

Audits must be performed by a qualified auditor with the following competencies:

  • Independence from the audited entity.
  • Expertise in PKI analysis, information security, and certification standards.
  • WebTrust license or ETSI accreditation in accordance with ISO 17065.
  • Professional liability insurance with a minimum limit of $1 million.

A CA may choose one of the following audit schemes:

  • WebTrust (version 2.7 or newer).
  • ETSI (e.g., EN 319 411-1).
  • Internal audit scheme, if it meets or is comparable to accepted standards.

The audit report must include complete information about the organization, certification centers, certificates used, and applied criteria. It must be published within three months after the end of the audit period. If the report is delayed, the CA must publish an explanatory letter signed by the auditor.

CAs are required to conduct self-audits at least quarterly, checking a random sample of certificates. Starting March 15, 2025, these samples must be checked using a linting process to assess the technical accuracy of certificates. Similar checks apply to third-party delegates, who must also undergo annual audits.

Certificates for .onion Domains

According to the new requirements, certificates for .onion domains must follow strict rules. The domain must have two levels: “onion” and a unique version 3 address as specified by Tor.

CAs must verify ownership of a .onion domain using the following methods:

  • Agreed-upon changes on the website (sections 3.2.2.4.18 and 3.2.2.4.19).
  • Using TLS via ALPN (section 3.2.2.4.20).

All connections must be made directly through the Tor protocol, without using third-party services like Tor2Web. Another verification option is signing the certificate request with the hidden service’s private key, confirmed by special high-entropy nonce values.

CAs are not allowed to issue wildcard certificates for .onion domains unless specifically provided for in the rules. The CA also emphasizes that certificates for .onion domains will not be considered internal names, provided they meet the new requirements. This change is intended to increase trust and improve security within the Tor ecosystem.

Legal and Financial Responsibilities

CAs bear full responsibility for fulfilling their obligations and complying with all requirements, including those of delegated parties. In case of violations, CAs must compensate users and application providers for any losses.

Each CA must notify the CA/Browser Forum of any changes to its certification policy and ensure compliance with the law in all jurisdictions where it operates. If necessary, changes to requirements should be minimal and temporary until any conflict with local law is resolved.

Requirement Updates and Legal Compliance

Certification authorities must follow local laws in every jurisdiction where they operate. In case of a conflict between local law and CA/Browser Forum requirements, the CA may make minimal changes to its policy until the discrepancies are resolved.

Policy changes must be documented in public records and submitted for approval to the CA/Browser Forum. If legislation or rules change, CAs must update their policies within 90 days.

These changes are aimed at increasing the security and transparency of the public key infrastructure and ensuring trust in certification authorities, especially regarding the issuance of certificates for .onion domains.

Leave a Reply