I was just going to respond with something similar.
Appendix F:
"A CA may issue an EV Certificate with .onion in the right-most label of the Domain Name provided
that issuance complies with the requirements set forth in this Appendix:
1. CAB Forum Tor Service Descriptor Hash extension (2.23.140.1.31) The CAB Forum has created an
extension of the TBSCertificate for use in conveying hashes of keys related to .onion addresses. The
Tor Service Descriptor Hash extension has the following format:
cabf-TorServiceDescriptor OBJECT IDENTIFIER ::= { 2.23.140.1.31 }
TorServiceDescriptorSyntax ::=
SEQUENCE ( 1..MAX ) of TorServiceDescriptorHash
TorServiceDescriptorHash:: = SEQUENCE {
onionURI UTF8String
algorithm AlgorithmIdentifier
subjectPublicKeyHash BIT STRING
}
Where the AlgorithmIdentifier is a hashing algorithm (defined in RFC 6234) performed over the DERencoding
of an ASN.1 SubjectPublicKey of the .onion service and SubjectPublicKeyHash is the hash
output."
The requirements don't specify what to do with this information. I know our product team interpreted this as part of the validation methods and exchange of key information, not something that was included in a certificate. We can include this information, but the guidelines are unclear what we do with this.