Onion Domains Get New Security Boost from CA/Browser Forum

The CA/Browser Forum has updated its requirements for Certificate Authorities (CAs) and audit processes, as well as introduced rules for issuing certificates for .onion domains. These changes are aimed at strengthening oversight, transparency, and security within the public key infrastructure (PKI).

Obligations and Audits for Certificate Authorities

Under the new requirements, each CA is obliged to:

• Comply with the latest standards and undergo audits within the specified timelines.
• Obtain a license in every jurisdiction where it is mandated by law.
• Ensure the implementation of the Certificate Policy (CP) and the Certification Practice Statement (CPS).
• If a CA issues certificates that can be used to generate new certificates, they must be technically constrained (in accordance with sections 7.1.2.3–7.1.2.5 of the requirements) or undergo a full audit. Every issuance period must be accompanied by an audit, conducted at least annually. In the absence of an up-to-date audit report, a readiness assessment must be completed prior to the issuance of certificates.

Audit and Auditor Qualifications

Audits must be performed by a qualified auditor with the following competencies:

• Independence from the audit subject.
• Expertise in PKI analysis, information security, and certification standards.
• WebTrust license or ETSI accreditation in compliance with ISO 17065.
• Professional liability insurance coverage of at least $1 million.

CAs may choose from the following audit frameworks:

• WebTrust (e.g., version 2.7 or later),
• ETSI (e.g., EN 319 411-1),
• An internal audit scheme, provided it meets or is comparable to accepted standards.

The audit report must include comprehensive information on the organization, certification centers, issued certificates, and applied criteria. It must be published within three months of the audit period’s conclusion. If delayed, the CA is required to release an explanatory letter signed by the auditor.

CAs are also obligated to conduct self-audits at least quarterly, reviewing a random sample of certificates. As of March 15, 2025, these samples must be evaluated using a linting process to assess the technical accuracy of the certificates. Similar checks apply to third-party delegates, who must also undergo annual audits.

Certificates for .onion Domains

Under the new requirements, certificates for .onion domains must adhere to strict rules. The domain must contain two levels: “onion” and a unique version 3 address, as specified by the Tor protocol.

CAs must verify ownership of a .onion domain through the following methods:

• Agreed changes to the website (sections 3.2.2.4.18 and 3.2.2.4.19),
• Use of TLS via ALPN (section 3.2.2.4.20).

All connections must be made directly through the Tor protocol without utilizing third-party services like Tor2Web. Another method of verification involves signing the certificate request with the private key of the hidden service, confirmed by special high-entropy nonce values.

CAs are prohibited from issuing wildcard certificates for .onion domains unless explicitly permitted by specific procedures within the rules. The CA also emphasizes that certificates for .onion domains will not be considered internal names, provided they meet the new requirements. This change is designed to enhance trust and improve security within the Tor ecosystem.

Legal and Financial Responsibilities

CAs bear full responsibility for fulfilling their obligations and complying with all requirements, including those involving delegated parties. In case of violations, CAs are required to compensate losses incurred by users and application providers.

Each CA must notify the CA/Browser Forum of any changes to its certification policies and ensure compliance with laws in all jurisdictions where they operate. Any necessary changes to the requirements must be minimal and temporary until the conflict with local law is resolved.

Policy Updates and Legal Compliance

Certification Authorities must follow local laws in every jurisdiction where they operate. In cases of conflict between local law and CA/Browser Forum requirements, the CA may make minimal adjustments to policies until inconsistencies are resolved.

Any changes in policy must be recorded in public documents and submitted for approval to the CA/Browser Forum. Upon any legislative or regulatory changes, CAs must update their policies within 90 days.

These updates are aimed at increasing security and transparency within the public key infrastructure and ensuring trust in certification authorities, particularly in the context of issuing certificates for .onion domains.