draft-ietf-acme-onion.xml

<?xml version="1.0" encoding="utf-8"?>
<?xml-model href="rfc7991bis.rnc"?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>

<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
     ipr="trust200902" submissionType="IETF" category="std" version="3" docName="draft-ietf-acme-onion-latest">
  <front>
    <title abbrev="ACME for .onion">Automated Certificate Management Environment (ACME) Extensions for ".onion"
      Special-Use Domain Names</title>
    <seriesInfo name="Internet-Draft" status="standard" value="draft-ietf-acme-onion-latest"/>
    <author fullname="Q Misell" initials="Q" role="editor" surname="Misell">
      <organization abbrev="AS207960">AS207960 Cyfyngedig</organization>
      <address>
        <postal>
          <street>13 Pen-y-lan Terrace</street>
          <city>Caerdydd</city>
          <code>CF23 9EU</code>
          <country>United Kingdom</country>
        </postal>
        <email>q@as207970.net</email>
        <email>q@magicalcodewit.ch</email>
        <uri>https://magicalcodewit.ch</uri>
      </address>
    </author>
    <area>sec</area>
    <workgroup>Automated Certificate Management Environment</workgroup>

    <abstract>
      <t>The document defines extensions to the Automated Certificate Management Environment (ACME) to allow for the
        automatic issuance of certificates to Tor hidden services (".onion" Special-Use Domain Names).</t>
    </abstract>

    <note removeInRFC="true">
      <name>Discussion</name>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/AS207960/acme-onion"/>.</t>
      <t>The project website and a reference implementation can be found at
        <eref target="https://acmeforonions.org"/>.</t>
    </note>
  </front>

  <middle>
    <section>
      <name>Introduction</name>
      <t>The Tor network has the ability to host "Onion Services" <xref target="tor-rend-spec-v3"/>
        <xref target="tor-address-spec"/> only accessible via the Tor network. These use the ".onion"
        Special-Use Domain Name <xref target="RFC7686"/> to identify these services. These can be used as any other domain
        name could, but do not form part of the DNS infrastructure.</t>
      <t>The Automated Certificate Management Environment (ACME) <xref target="RFC8555"/> defines challenges for
        validating control of DNS identifiers, and whilst a ".onion" Special-Use Domain Name may appear as a DNS name,
        it requires special consideration to validate control of one such that ACME could be used on ".onion"
        Special-Use Domain Names.</t>
      <t>In order to allow ACME to be utilised to issue certificates to ".onion" Special-Use Domain Names this document
        specifies challenges suitable to validate control of these Special-Use Domain Names. Additionally, this document
        defines an alternative to the DNS Certification Authority Authorization (CAA) Resource Record
        <xref target="RFC8659"/> that can be used with ".onion" Special-Use Domain Names.</t>

      <section>
        <name>Requirements Language</name>
        <t>The key words <bcp14>MUST</bcp14>, <bcp14>MUST NOT</bcp14>, <bcp14>REQUIRED</bcp14>, <bcp14>SHALL</bcp14>,
          <bcp14>SHALL NOT</bcp14>, <bcp14>SHOULD</bcp14>, <bcp14>SHOULD NOT</bcp14>, <bcp14>RECOMMENDED</bcp14>,
          <bcp14>NOT RECOMMENDED</bcp14>, <bcp14>MAY</bcp14>, and <bcp14>OPTIONAL</bcp14> in this document are to be
          interpreted as described in <xref target="BCP14"/> when, and only when, they appear in all capitals,
          as shown here.</t>
      </section>
    </section>

    <section>
      <name>Identifier</name>
      <t><xref target="RFC8555"/> defines the "dns" identifier type. This identifier type <bcp14>MUST</bcp14> be used
        when requesting a certificate for a ".onion" Special-Use Domain Name. The value of identifier
        <bcp14>MUST</bcp14> be the textual representation as defined in
        <xref target="tor-address-spec" section=".onion" relative="#onion"/>. The value <bcp14>MAY</bcp14> include
        subdomain labels. Version 2 addresses <xref target="tor-rend-spec-v2"/> <bcp14>MUST NOT</bcp14> be used as these
        are now considered insecure.</t>
      <t>Example identifiers (linebreaks have been added for readability only):</t>
      <sourcecode type="json">
{
  "type": "dns",
  "value": "bbcweb3hytmzhn5d532owbu6oqadra5z3ar726v
        q5kgwwn6aucdccrad.onion"
}
      </sourcecode>
      <sourcecode type="json">
{
  "type": "dns",
  "value": "www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726v
        q5kgwwn6aucdccrad.onion"
}
      </sourcecode>
    </section>

    <section>
      <name>Identifier Validation Challenges</name>
      <t>The CA/Browser Forum Baseline Requirements (<xref target="cabf-br" section="B.2" relative="#page=124" />)
        define methods accepted by the CA industry for validation of ".onion" Special-Use Domain Names.
        This document incorporates these methods into ACME challenges.</t>
      <section>
        <name>Existing challenges</name>
        <section>
          <name>Existing "dns-01" Challenge</name>
          <t>The existing "dns-01" challenge <bcp14>MUST NOT</bcp14> be used to validate ".onion" Special-Use Domain
            Names, as these domains are not part of the DNS.</t>
        </section>
        <section>
          <name>Existing "http-01" Challenge</name>
          <t>The "http-01" challenge as defined in <xref target="RFC8555" section="8.3"/> can be used to validate a
            ".onion" Special-Use Domain Names, with the modifications defined in this standard, namely
            <xref target="client-auth"/>, and <xref target="caa"/>.</t>
          <t>The ACME server <bcp14>SHOULD</bcp14> follow redirects; note that these <bcp14>MAY</bcp14> be redirects to
            non ".onion" services, and the server <bcp14>SHOULD</bcp14> honour these.</t>
        </section>
        <section>
          <name>Existing "tls-alpn-01" Challenge</name>
          <t>The "tls-alpn-01" challenge as defined in <xref target="RFC8737"/> can be used to validate a ".onion"
            Special-Use Domain Names, with the modifications defined in this standard, namely
            <xref target="client-auth"/>, and <xref target="caa"/>.</t>
        </section>
      </section>
      <section>
        <name>New "onion-csr-01" Challenge</name>
        <t>The two methods already defined in ACME and allowed by the CA/BF do not allow issuance of wildcard
          certificates. A ".onion" Special-Use Domain Name can have subdomains (just like any other domain in the DNS),
          and a site operator may find it useful to have one certificate for all virtual hosts on their site.
          This new validation method incorporates the specially signed CSR (as defined by
          <xref target="cabf-br" section="B.2.b" relative="#page=124"/>) into ACME to allow for the issuance of
          wildcard certificates.</t>
        <t>To this end a new challenge type called "onion-csr-01" is defined, with the following fields:</t>
        <dl>
          <dt>type (required, string)</dt>
          <dd>The string <tt>onion-csr-01</tt></dd>
          <dt>nonce (required, string)</dt>
          <dd>A Base64 <xref target="RFC4648"/> encoded nonce, including padding characters.
            It <bcp14>MUST</bcp14> contain at least 64 bits of entropy. A response generating using this nonce
            <bcp14>MUST NOT</bcp14> be accepted by the ACME server if the nonce was generated more than 30 days ago.</dd>
          <dt>authKey (optional, object)</dt>
          <dd>The Ed25519 public key encoded as per <xref target="RFC8037"/>.</dd>
        </dl>
        <sourcecode type="json">
{
  "type": "onion-csr-01",
  "url": "https://example.com/acme/chall/bbc625c5",
  "status": "pending",
  "nonce": "bI6/MRqV4gw=",
  "authKey": { ... }
}
        </sourcecode>
        <t>Clients prove control over the key associated with the ".onion" service by generating a CSR with the
          following additional extension attributes and signing it with the private key of the ".onion" Special-Use
          Domain Name:</t>
        <ul>
          <li>A <tt>caSigningNonce</tt> attribute containing the nonce provided in the challenge. This
            <bcp14>MUST</bcp14> be raw bytes, and not the base64 encoded value provided in the challenge object.</li>
          <li>An <tt>applicantSigningNonce</tt> containing a nonce generated by the client. This <bcp14>MUST</bcp14>
            have at least 64 bits of entropy. This <bcp14>MUST</bcp14> be raw bytes.</li>
        </ul>
        <t>These additional attributes have the following format</t>
        <sourcecode type="asn.1">
cabf OBJECT IDENTIFIER ::=
  { joint-iso-itu-t(2) international-organizations(23)
    ca-browser-forum(140) }

cabf-caSigningNonce OBJECT IDENTIFIER ::= { cabf 41 }

caSigningNonce ATTRIBUTE ::= {
  WITH SYNTAX             OCTET STRING
  EQUALITY MATCHING RULE  octetStringMatch
  SINGLE VALUE            TRUE
  ID                      { cabf-caSigningNonce }
}

cabf-applicantSigningNonce OBJECT IDENTIFIER ::= { cabf 42 }

applicantSigningNonce ATTRIBUTE ::= {
  WITH SYNTAX             OCTET STRING
  EQUALITY MATCHING RULE  octetStringMatch
  SINGLE VALUE            TRUE
  ID                      { cabf-applicantSigningNonce }
}
        </sourcecode>
        <t>The subject of the CSR need not be meaningful and CAs <bcp14>SHOULD NOT</bcp14> validate its contents.
          The public key presented in this CSR <bcp14>MUST</bcp14> be the public key corresponding to the ".onion"
          Special-Use Domain Name being validated. It <bcp14>MUST NOT</bcp14> be the same public key presented in the
          CSR to finalize the order.</t>
        <t>Client respond with the following object to validate the challenge:</t>
        <dl>
          <dt>csr (required, string)</dt>
          <dd>
            The CSR in the base64url-encoded version of the DER format.
            (Note: Because this field uses base64url, and does not include headers, it is different from PEM.)
          </dd>
        </dl>
        <sourcecode type="http">
POST example.com/acme/chall/bbc625c5
Host: example.com
Content-Type: application/jose+json

{
  "protected": base64url({
    "alg": "ES256",
    "kid": "https://example.com/acme/acct/evOfKhNU60wg",
    "nonce": "UQI1PoRi5OuXzxuX7V7wL0",
    "url": "https://example.com/acme/chall/bbc625c5"
  }),
  "payload": base64url({
    "csr": "MIIBPTCBxAIBADBFMQ...FS6aKdZeGsysoCo4H9P"
  }),
  "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4"
}
        </sourcecode>
        <t>When presented with the CSR the server verifies it in the following manner:</t>
        <ol>
          <li>The CSR is a well formatted PKCS#10 request.</li>
          <li>The public key in the CSR corresponds to the ".onion" Special-Use Domain Name being validated.</li>
          <li>The signature over the CSR validates with the ".onion" Special-Use Domain Name public key.</li>
          <li>The caSigningNonce attribute is present and its contents matches the nonce provided to the client.</li>
          <li>The applicantSigningNonce attribute is present and contains at least 64 bits of entropy.</li>
        </ol>
        <t>If all of the above are successful then validation succeeds, otherwise it has failed.</t>
      </section>
    </section>

    <section anchor="client-auth">
      <name>Client authentication to hidden services</name>
      <t>Some hidden services do not wish to be accessible to the entire Tor network, and so encrypt their hidden
        service descriptor with the keys of clients authorized to connect. Without a way for the CA to signal what key
        it will use to connect these services will not be able to obtain a certificate using http-01 or tls-alpn-01,
        nor enforce CAA with any validation method.</t>
      <t>To this end, an additional field in the challenge object is defined to allow the ACME server to advertise the
        Ed25519 public key it will use (as per
        <xref target="tor-rend-spec-v3" section="&quot;Authentication during the introduction phase&quot;" relative="introduction-protocol.html#INTRO-AUTH" />) to
        authenticate itself when retrieving the hidden service descriptor.</t>
      <dl>
        <dt>authKey (optional, object)</dt>
        <dd>The Ed25519 public key encoded as per <xref target="RFC8037"/>.</dd>
      </dl>
      <t>ACME servers <bcp14>MUST NOT</bcp14> use the same public key with multiple hidden services.
        ACME servers <bcp14>MAY</bcp14> re-use public keys for re-validation of the same hidden service.</t>
      <t>There is no method to communicate to the CA that client authentication is necessary; instead the ACME server
        <bcp14>MUST</bcp14> attempt to calculate its CLIENT-ID as per
        <xref target="tor-rend-spec-v3" section="&quot;Client Behaviour&quot;" relative="hsdesc-encrypt.html#FIRST-LAYER-CLIENT-BEHAVIOR"/>.
        If no <tt>auth-client</tt> line in the first layer hidden service descriptor matches the computed client-id
        then the server <bcp14>MUST</bcp14> assume that the hidden service does not require client authentication and
        proceed accordingly.</t>
      <t>In the case the Ed25519 public key is novel to the client it will have to resign and republish its hidden service
        descriptor. It <bcp14>SHOULD</bcp14> wait some (indeterminate) amount of time for the new descriptor to
        propagate the Tor hidden service directory servers, before proceeding with responding to the challenge.
        This should take no more than a few minutes. This specification does not set a fixed time as changes in the
        operation of the Tor network can affect this propagation time in the future. ACME servers
        <bcp14>MUST NOT</bcp14> expire challenges before a reasonable time to allow publication of the new descriptor -
        this document suggests at least 30 minutes however it is entirely up to operator preference.</t>
    </section>

    <section>
      <name>ACME over hidden services</name>
      <t>A CA offering certificates to ".onion" Special-Use Domain Names <bcp14>SHOULD</bcp14> make their
        ACME server available as a Tor hidden services. ACME clients <bcp14>SHOULD</bcp14> also support connecting to
        ACME servers over Tor, regardless of their support of "onion-csr-01", as their existing "http-01"
        and "tls-alpn-01" implementations could be used to obtain certificates for ".onion" Special-Use Domain Names.</t>
    </section>

    <section anchor="caa">
      <name>Certification Authority Authorization (CAA)</name>
      <t>".onion" Special-Use Domain Name are not part of the DNS, and as such a variation on CAA <xref target="RFC8659"/>
        is necessary to allow restrictions to be placed on certificate issuance.</t>
      <t>To this end a new field is added to the second layer hidden service descriptor
        <xref target="tor-rend-spec-v3" relative="hsdesc-encrypt.html#second-layer-plaintext" section="&quot;Second layer plaintext format&quot;" />
        with the following format (defined using the notation from
        <xref target="tor-dir-spec-v3" section="&quot;Document meta-format&quot;" relative="outline.html#metaformat"/>):</t>
      <sourcecode>
"caa" SP flags SP tag SP value NL
[Any number of times]
      </sourcecode>
      <t>The contents of "flag", "tag", and "value" are as per <xref target="RFC8659" section="4.1.1"/>.
        Multiple CAA records <bcp14>MAY</bcp14> be present, as is the case in the DNS. CAA records in a hidden service
        descriptor are to be treated the same by CAs as if they had been in the DNS for the ".onion" Special-Use Domain Name.</t>
      <t>A hidden service's second layer descriptor using CAA could look something like the following
        (linebreaks have been added for readability only):</t>
      <sourcecode>
create2-formats 2
single-onion-service
caa 128 issue "test.acmeforonions.org;validationmethods=onion-csr-01"
caa 0 iodef "mailto:security@example.com"
introduction-point AwAGsAk5nSMpAhRqhMHbTFCTSlfhP8f5PqUhe6DatgMgk7kSL3
        KHCZUZ3C6tXDeRfM9SyNY0DlgbF8q+QSaGKCs=
...
      </sourcecode>
      <section>
        <name>Relevant Resource Record Set</name>
        <t>In the absence of the possibility for delegation of subdomains from a ".onion" Special-Use Domain Name as
          there is in the DNS there is no need, nor indeed any method available, to search up the DNS tree for a
          relevant CAA record set. Similarly, it is also impossible to check CAA records on the "onion" Special-Use TLD,
          as it does not exist in any form except as described in <xref target="RFC7686"/>, so implementors
          <bcp14>MUST</bcp14> not look here either.</t>
        <t>Instead all subdomains under a ".onion" Special-Use Domain Name share the same CAA record set. That is,
          all of these share a CAA record set with "a.onion":</t>
        <ul>
          <li>b.a.onion</li>
          <li>c.a.onion</li>
          <li>e.d.a.onion</li>
        </ul>
        <t>but these do not:</t>
        <ul>
          <li>b.c.onion</li>
          <li>c.d.onion</li>
          <li>e.c.d.onion</li>
        </ul>
      </section>
      <section>
        <name>When to check CAA</name>
        <t>If the hidden service has client authentication enabled then it will be impossible for the ACME server to
          decrypt the second layer descriptor to read the CAA records until the ACME server's public key has been added
          to the first layer descriptor. To this end an ACME server <bcp14>SHOULD</bcp14> wait until the client responds
          to an authorization before checking CAA, and treat this response as indication that their public key has been
          added and that the ACME server will be able to decrypt the second layer descriptor.</t>
      </section>
      <section>
        <name>Preventing mis-issuance by unknown CAs</name>
        <t>In the case of a hidden service requiring client authentication it is impossible to read them without the
          hidden service trusting a ACME server's public key - as the CAA records are in the second layer descriptor.
          A method is necessary to signal that there are CAA records present (but not reveal their contents which
          - in certain circumstances - would disclose unwanted information about the hidden service operator).</t>
        <t>To this end a new field is added to the first layer hidden service descriptor
          <xref target="tor-rend-spec-v3" section="&quot;First layer plaintext format&quot;" relative="hsdesc-encrypt.html#first-layer-plaintext" />
          with the following format (defined using the notation from
        <xref target="tor-dir-spec-v3" section="&quot;Document meta-format&quot;" relative="outline.html#metaformat"/>):</t>
        <sourcecode>
"caa-critical" NL
[At most once]
        </sourcecode>
        <t>If an ACME server encounters this flag it <bcp14>MUST NOT</bcp14> proceed with issuance until it can decrypt
          and parse the CAA records from the second layer descriptor.</t>
      </section>
      <section>
        <name>Alternative in-band presentation of CAA</name>
        <t>An ACME server might be unwilling to operate the infrastructure required to fetch, decode, and verify Tor
          hidden service descriptors in order to check CAA records. To this end a method to signal CAA policies in-band
          of ACME is defined.</t>
        <t>If a hidden service does use this method to provide CAA records to an ACME server it <bcp14>SHOULD</bcp14>
          still publish CAA records if its CAA record set includes "iodef", "contactemail", or "contactphone" so that
          this information is still publicly accessible. A hidden service operator <bcp14>MAY</bcp14> also not wish to
          publish a CAA record set in its service descriptor to avoid revealing information about the service operator.</t>
        <t>If an ACME server receives a validly signed CAA record set in the finalize request it need not check the CAA
          set in the hidden service descriptor and can proceed with issuance on the basis of the client provided CAA
          record set only. An ACME server <bcp14>MAY</bcp14> ignore the client provided record set, and is free to
          always fetch the record set from the service descriptor.</t>
        <t>A new field is defined in the ACME finalize endpoint to contain the hidden service's CAA record set for each
          ".onion" Special-Use Domain Name in the order.</t>
        <dl>
          <dt>onionCAA (optional, dictionary of objects)</dt>
          <dd>
            The CAA record set for each ".onion" Special-Use Domain Name in the order. The key is the ".onion"
            Special-Use Domain Name, and the value is an object with the following fields.
          </dd>
        </dl>
        <t>The contents of the values of the "onionCAA" object are:</t>
        <dl>
          <dt>caa (required, string or null)</dt>
          <dd>
            The CAA record set as a string, encoded in the same way as if was included in the hidden service descriptor.
            If the hidden service does not have a CAA record set then this <bcp14>MUST</bcp14> be null.
          </dd>
          <dt>expiry (required, integer)</dt>
          <dd>
            The Unix timestamp at which this CAA record set will expire. This <bcp14>SHOULD NOT</bcp14> be more than
            8 hours in the future. ACME servers <bcp14>MUST</bcp14> process this as at least a 64-bit integer to ensure
            functionality beyond 2038.
          </dd>
          <dt>signature (required, string)</dt>
          <dd>
            The Ed25519 signature of the CAA record set using the private key corresponding to the ".onion"
            Special-Use Domain Name, encoded using base64url. The signature is defined below.
          </dd>
        </dl>
        <t>The data that the signature is calculated over is the concatenation of the following,
          encoded in UTF-8 <xref target="RFC3629"/>:</t>
        <sourcecode>"onion-caa|" || expiry || "|" || caa</sourcecode>
        <t>Where "|" is the ASCII character 0x7C, and expiry is the expiry field as a decimal string with no
          leading zeros. If the caa field is null it is represented as an empty string in the signature calculation.</t>
        <section>
          <name>ACME servers requiring in-band CAA</name>
          <t>If an ACME server does not support fetching a service's CAA record set from its service descriptor it,
            and the ACME client does not provide an "onionCAA" object in its finalize request the ACME server
            <bcp14>MUST</bcp14> respond with an "onionCAARequired" error to indicate this.</t>
          <t>Additionally, a new field is defined in the directory "meta" object to signal this.</t>
          <dl>
            <dt>inBandOnionCAARequired (optional, boolean)</dt>
            <dd>
              If true, the ACME server requires the client to provide the CAA record set in the finalize request.
              If false or absent the ACME server does not require the client to provide the CAA record set is this
              manner.</dd>
          </dl>
          <t>A directory of such a CA could look like</t>
          <sourcecode type="http">
HTTP/1.1 200 OK
Content-Type: application/json

{
  "newNonce": "https://example.com/acme/new-nonce",
  "newAccount": "https://example.com/acme/new-account",
  "newOrder": "https://example.com/acme/new-order",
  "revokeCert": "https://example.com/acme/revoke-cert",
  "keyChange": "https://example.com/acme/key-change",
  "meta": {
    "termsOfService": "https://example.com/acme/terms/2023-10-13",
    "website": "https://acmeforonions.org/",
    "caaIdentities": ["test.acmeforonions.org"],
    "inBandOnionCAARequired": true
  }
}
          </sourcecode>
        </section>
        <section>
          <name>Example in-band CAA</name>
          <t>Given the following example CAA record set for 5anebu2glyc235wbbop3m2ukzlaptpkq333vdtdvcjpigyb7x2i2m2qd.onion
            (linebreaks have been added for readability only):</t>
          <sourcecode>
caa 128 issue "test.acmeforonions.org;
            validationmethods=onion-csr-01"
caa 0 iodef "mailto:example@example.com"
          </sourcecode>
          <t>The following would be submitted to the ACME server's finalize endpoint
            (linebreaks have been added for readability only):</t>
          <sourcecode type="http">
POST /acme/order/TOlocE8rfgo/finalize
Host: example.com
Content-Type: application/jose+json

{
  "protected": base64url({
    "alg": "ES256",
    "kid": "https://example.com/acme/acct/evOfKhNU60wg",
    "nonce": "MSF2j2nawWHPxxkE3ZJtKQ",
    "url": "https://example.com/acme/order/TOlocE8rfgo/finalize"
  }),
  "payload": base64url({
    "csr": "MIIBPTCBxAIBADBFMQ...FS6aKdZeGsysoCo4H9P",
    "onionCAA": {
      "5anebu2glyc235wbbop3m2ukzlaptpkq333vdtdvcjpi
            gyb7x2i2m2qd.onion": {
        "caa": "caa 128 issue \"test.acmeforonions.org;
            validationmethods=onion-csr-01\"\n
            caa 0 iodef \"mailto:example@example.com\"",
        "expiry": 1697210719,
        "signature": "u_iP6JZ4JZBrzQUKH6lSrWejjRfeQmkTuehc0_FaaTNP
            AV0RVxpUz9r44DRdy6kgy0ofnx18KIhMrP7N1wpxAA=="
      }
    }
  }),
  "signature": "uOrUfIIk5RyQ...nw62Ay1cl6AB"
}
          </sourcecode>
        </section>
      </section>
    </section>

    <section anchor="IANA">
      <name>IANA Considerations</name>
      <section>
        <name>Validation Methods</name>
        <t>Per this document, one new entry has been added to the "ACME Validation Methods" registry defined in
          <xref target="RFC8555" section="9.7.8"/>. This entry is defined below:</t>
        <table>
          <name>New entries</name>
          <thead>
            <tr>
              <th>Label</th>
              <th>Identifier Type</th>
              <th>ACME</th>
              <th>Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>onion-csr-01</td>
              <td>dns</td>
              <td>Y</td>
              <td>This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section>
        <name>Error Types</name>
        <t>Per this document, one new entry has been added to the "ACME Error Types" registry defined in
          <xref target="RFC8555" section="9.7.8"/>. This entry is defined below:</t>
        <table>
          <name>New entries</name>
          <thead>
            <tr>
              <th>Type</th>
              <th>Description</th>
              <th>Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>onionCAARequired</td>
              <td>The CA only supports checking CAA for hidden services in-band, but the client has not provided an
                in-band CAA</td>
              <td>This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section>
        <name>Directory Metadata Fields</name>
        <t>Per this document, one new entry has been added to the "ACME Directory Metadata Fields" registry defined in
          <xref target="RFC8555" section="9.7.8"/>. This entry is defined below:</t>
        <table>
          <name>New entries</name>
          <thead>
            <tr>
              <th>Field name</th>
              <th>Field type</th>
              <th>Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>onionCAARequired</td>
              <td>boolean</td>
              <td>This document</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>

    <section anchor="Security">
      <name>Security Considerations</name>
      <section>
        <name>Security of the "onion-csr-01" challenge</name>
        <t>The security considerations of <xref target="cabf-br"/> apply to issuance using the CSR method.</t>
      </section>
      <section anchor="security-id-dns">
        <name>Use of "dns" identifier type</name>
        <t>The re-use of the "dns" identifier type for a Special-Use Domain Name not actually in the DNS infrastructure
          raises questions regarding its suitability. The reasons the author wishes to pursue this path in the first
          place are detailed in <xref target="use-of-id-dns"/>. It is felt that there is little security concern in
          reuse of the "dns" identifier type with regards the mis-issuance by CAs that are not aware of ".onion"
          Special-Use Domain Names, as CAs would not be able to resolve the identifier in the DNS.</t>
        <section>
          <name>"http-01" Challenge</name>
          <t>The CA would follow the procedure set out in <xref target="RFC8555" section="8.3"/> which specifies that
            the CA should "Dereference the URL using an HTTP GET request". Given that ".onion" Special-Use Domain Names require
            special handling to dereference, this de-referencing will fail, disallowing issuance.</t>
        </section>
        <section>
          <name>"tls-alpn-01" Challenge</name>
          <t>The CA would follow the procedure set out in <xref target="RFC8737" section="3"/> which specifies that the
            CA "resolves the domain name being validated and chooses one of the IP addresses returned for validation".
            Given that ".onion" Special-Use Domain Names are not resolvable to IP addresses, this de-referencing will
            fail, disallowing issuance.</t>
        </section>
        <section>
          <name>"dns-01" Challenge</name>
          <t>The CA would follow the procedure set out in <xref target="RFC8555" section="8.4"/> which specifies that
            the CA should "query for TXT records for the validation domain name".
            Given that ".onion" Special-Use Domain Names are not present in the DNS infrastructure, this query will
            fail, disallowing issuance.</t>
        </section>
      </section>
      <section>
        <name>Key Authorization with "onion-csr-01"</name>
        <t>The "onion-csr-01" challenge does not make use of the key authorization string defined in
          <xref target="RFC8555" section="8.1"/>. This does not weaken the integrity of authorizations.</t>
        <t>The key authorization exists to ensure that whilst an attacker observing the validation channel can observe
          the correct validation response, they cannot compromise the integrity of authorizations as the response
          can only be used with the account key for which it was generated. As the validation channel for this challenge
          is ACME itself, and ACME already requires that the request be signed by the account, the key authorization is
          not necessary.</t>
      </section>
      <section>
        <name>Use of Tor for non ".onion" domains</name>
        <t>An ACME server <bcp14>MUST NOT</bcp14> utilise Tor for the validation of non ".onion" domains, due to the
          risk of exit hijacking.</t>
      </section>
      <section>
        <name>Redirects with "http-01"</name>
        <t>A site <bcp14>MAY</bcp14> redirect to another site when completing validation using the "http-01" challenge.
          This redirect can be to either another ".onion" Special-Use Domain Name, or to a domain in the public DNS.
          A site operator <bcp14>SHOULD</bcp14> consider the privacy implications of redirecting to a non ".onion"
          site - namely that the ACME server operator will then be able to learn information about the site redirected to
          that they would not if accessed via a ".onion" Special-Use Domain Name, such as its IP address. If the site
          redirected to is on the same or an adjacent host to the ".onion" Special-Use Domain Name this reveals
          information <xref target="tor-rend-spec-v3"/> was otherwise designed to protect.</t>
        <t>If an ACME server receives a redirect to a domain in the public DNS it <bcp14>MUST NOT</bcp14> utilise Tor
          to make a connection to it, due to the risk of exit hijacking.</t>
      </section>
      <section>
        <name>Security of CAA records</name>
        <t>The second layer descriptor is signed, encrypted and MACed in a way that only a party with access to the
          secret key of the hidden service could manipulate what is published there. For more information about this
          process see <xref target="tor-rend-spec-v3" section="&quot;Hidden service descriptors: encryption format&quot;" relative="hsdesc-encrypt.html" />.</t>
      </section>
      <section>
        <name>In-band CAA</name>
        <t>Tor directory servers are inherently untrusted entities, and as such there is no difference in the security
          model for accepting CAA records directly from the ACME client or fetching them over Tor. CAA records are still
          verified against the same hidden service key.</t>
      </section>
      <section>
        <name>Access of the Tor network</name>
        <t>The ACME server <bcp14>MUST</bcp14> make its own connection to the hidden service via the Tor network,
          and <bcp14>MUST NOT</bcp14> outsource this, such as by using Tor2Web.</t>
      </section>
      <section>
        <name>Anonymity of the ACME client</name>
        <t>ACME clients requesting certificates for ".onion" Special-Use Domain Names can inadvertently expose the
          existence of a hidden service on the host requesting certificates to unintended parties - even when features
          such as ECH <xref target="I-D.ietf-tls-esni"/> are utilised, as the IP addresses of ACME servers are generally
          well-known, static, and not used for any other purpose.</t>
        <t>ACME clients <bcp14>SHOULD</bcp14> connect to ACME servers over the Tor network to alleviate this, preferring
        a hidden service endpoint if the CA provides such a service.</t>
        <t>If an ACME client requests a publicly trusted WebPKI certificate it will expose the existence of the Hidden
          Service publicly due to its inclusion in Certificate Transparency logs <xref target="RFC9162"/>. Hidden Service
          operators <bcp14>SHOULD</bcp14> consider the privacy implications of this before requesting certificates.</t>
      </section>
    </section>
  </middle>

  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>

        <referencegroup anchor="BCP14" target="https://www.rfc-editor.org/info/bcp14">
          <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.2119.xml"/>
          <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8174.xml"/>
        </referencegroup>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4648.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.7686.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8037.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8555.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8659.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8737.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.3629.xml"/>

        <reference anchor="tor-address-spec" target="https://spec.torproject.org/address-spec">
          <front>
            <title>Special Hostnames in Tor</title>
            <author fullname="Nick Mathewson" initials="N." surname="Nick Mathewson">
              <organization>The Tor Project</organization>
            </author>
          </front>
        </reference>

        <reference anchor="tor-rend-spec-v3" target="https://spec.torproject.org/rend-spec/index.html">
          <front>
            <title>Tor Rendezvous Specification - Version 3</title>
            <author>
              <organization>The Tor Project</organization>
            </author>
          </front>
        </reference>

        <reference anchor="tor-rend-spec-v2" target="https://spec.torproject.org/rend-spec-v2">
          <front>
            <title>Tor Rendezvous Specification - Version 2</title>
            <author>
              <organization>The Tor Project</organization>
            </author>
          </front>
        </reference>

        <reference anchor="tor-dir-spec-v3" target="https://spec.torproject.org/dir-spec/index.html">
          <front>
            <title>Tor Directory Protocol - Version 3</title>
            <author>
              <organization>The Tor Project</organization>
            </author>
          </front>
        </reference>

        <reference anchor="cabf-br" target="https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.0.6.pdf">
          <front>
            <title>Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</title>
            <author>
              <organization>CA/Browser Forum</organization>
            </author>
          </front>
        </reference>

      </references>
      <references>
        <name>Informative References</name>

        <reference anchor="onion-services-setup" target="https://community.torproject.org/onion-services/setup/">
          <front>
            <title>Set Up Your Onion Service</title>
            <author>
              <organization>The Tor Project</organization>
            </author>
          </front>
        </reference>

        <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tls-esni.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.9162.xml"/>
      </references>
    </references>

    <section anchor="use-of-id-dns">
      <name>Discussion on the use of the "dns" identifier type</name>
      <t>The reasons for utilising the "dns" identifier type in ACME and not defining a new identifier type for
        ".onion"s may not seem obvious at first glance. After all, ".onion" Special-Use Domain
        Names are not part of the DNS infrastructure and as such why should they use the "dns" identifier type?</t>
      <t><xref target="cabf-br" section="B.2.a.ii" relative="#page=124"/> defines, and this standard allows,
        using the "http-01" or "tls-alpn-01" validation methods already present in ACME (with some considerations).
        Given the situation of a web server placed behind a Tor terminating proxy (as per the setup suggested by the
        Tor project <xref target="onion-services-setup"/>), existing ACME tooling can be blind to the fact that a
        ".onion" Special-Use Domain Name is being utilised, as they simply receive an incoming TCP connection as they
        would regardless (albeit from the Tor terminating proxy).</t>
      <t>An example of this would be Certbot placing the ACME challenge response file in the webroot of an NGINX web
        server. Neither Certbot nor NGINX would require any modification to be aware of any special handling for
        ".onion" Special-Use Domain Names.</t>
      <t>This does raise some questions regarding security within existing implementations, however the authors believe
        this is of little concern, as per <xref target="security-id-dns"/>.</t>
    </section>

    <section anchor="Acknowledgements" numbered="false">
      <name>Acknowledgements</name>
      <t>With thanks to the Open Technology Fund for funding the work that went into this document.</t>
      <t>The authors also wish to thank the following for their input on this document:</t>
      <ul>
        <li>Iain Learmonth</li>
        <li>Jan-Frederik Rieckers</li>
      </ul>
    </section>
  </back>
</rfc>