[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

Wayne Thayer wthayer at mozilla.com
Fri Nov 2 15:10:36 MST 2018

This begins the voting period for Ballot SC12 - Sunset of Underscores in

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting
the underscore character to be used in SAN fields of type dNSName. Since
that ballot failed in 2017, the practice has continued despite being
non-compliant with RFC 5280. This ballot creates a brief sunset period
intended to allow Subscribers who are relying on FQDNs containing
underscores to transition away from them, either by changing the name or
deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

Add the following language to BR section (Subject Alternative
Name Extension):

Prior to April 1, 2019, certificates containing underscore characters (“_”)
in domain labels in dNSName entries MAY be issued as follows:
* dNSName entries MAY include underscore characters such that replacing all
underscore characters with hyphen characters (“-“) would result in a valid
domain label, and;
* Underscore characters MUST NOT be placed in the left most domain label,
* Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any dNSName entry
and having a validity period of more than 30 days MUST be revoked prior to
January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in
dNSName entries.


This ballot proposes a Final Maintenance Guideline. A comparison of the
changes can be found at:

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: 2018-11-02, 22:00 UTC

Vote for approval (7 days)
Start Time: 2018-11-02, 22:00 UTC
End Time: 2018-11-09, 22:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181102/d005caa8/attachment.html>

More information about the Servercert-wg mailing list