[cabfpub] BR "corrections" ballot

Erwann Abalea Erwann.Abalea at docusign.com
Mon Mar 21 14:51:23 UTC 2016

Resent from my DocuSign email address :/

Erwann Abalea

Le 21 mars 2016 à 15:50, Erwann Abalea <erwann.abalea at opentrust.com<mailto:erwann.abalea at opentrust.com>> a écrit :


X.509 has recently changed its definition of what is admissible in a dNSName entry. You can freely download all this from https://www.itu.int/rec/T-REC-X.509/en.

From the very first edition of X.509v3 (1997) up to the latest revision (2012), it was defined as:

  *   the dNSName alternative is an Internet domain name defined in accordance with IETF RFC 1035;

preventing the use of anything other than letters, digits, and hyphen.

A published corrigendum changed the definition to:

the dNSName alternative shall be a fully-qualified domain name (FQDN). The domain name shall be in the syntax as specified by section 2.3.1 of IETF RFC 5890 meaning that a domain name is a sequence of labels in the letters, digits, hyphen (LDH) format separated by dots.

A label may be in one of two formats:

a)  All characters in the label are from the Basic Latin collection as defined by ISO/IEC 10646 (i.e., having code points in the ranges 002D, 0030-0039, 0041-005A and 0061-007A) and it does not start with "xn--". The maximum length is 63 octets.
b)  It is an A-label as defined in IETF RFC 5890, i.e., it starts with the "xn--" and is a U-label converted to valid ASCII characters as in item a) using the Punycode algorithm defined by IETF RFC 3492. The converted string shall be maximum 59 octets. To be valid, it shall be possible for an A-label to be converted to a valid U-label. The U-label is as also defined in IETF RFC 5890.

NOTE 1 – An A-label is normally not human-readable.

Again preventing anything other than letters, digits, and hyphens.

Erwann Abalea

Le 21 mars 2016 à 14:08, Peter Bowen <pzb at amzn.com<mailto:pzb at amzn.com>> a écrit :

On Mar 21, 2016, at 4:39 AM, Gervase Markham <gerv at mozilla.org<mailto:gerv at mozilla.org>> wrote:

On 21/03/16 11:23, Rob Stradling wrote:

Are the things we put in certificates hostnames? Given that SSL is for
connecting to internet hosts, it would seem to me that they are. Clue me
in by explaining what I'm missing.

"You've entered a special hell. It is dark and scary. You are likely to
be eaten by a grue."


Can someone give me a concrete example of why someone would want an _ in
a hostname in a cert? An all-Microsoft shop using it for an internal
name which nevertheless was an FQDN? my_server.corp.fooco.com?

_ is allowed at the DNS protocol level, so it works in many cases.  See the following (pulled from CT logs):


All of these have public A records with what appear to be public IPs.  Given this, they presumably work with many TLS clients.

Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160321/0247d10c/attachment-0003.html>

More information about the Public mailing list