[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

Tue Nov 6 14:08:20 MST 2018

SSL.com votes YES on ballot SC12.

-Tom
SSL.com

On 11/5/2018 4:24 PM, Tim Hollebeek via Servercert-wg wrote:
> DigiCert votes YES on ballot SC12.
>
>   
>
> -Tim
>
>   
>
> From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
> Sent: Monday, November 5, 2018 10:44 PM
> To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> Subject: Re: [Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames
>
>   
>
> Mozilla votes Yes on ballot SC12.
>
>   
>
> - Wayne
>
>   
>
> On Fri, Nov 2, 2018 at 3:10 PM Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> > wrote:
>
> This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames
>
>   
>
> Purpose of Ballot
>
> Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type dNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.
>
> The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.
>
> --- MOTION BEGINS ---
> Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):
>
>   
>
> Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:
>
> * dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
>
> * Underscore characters MUST NOT be placed in the left most domain label, and;
>
> * Such certificates MUST NOT be valid for longer than 30 days.
>
> All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.
>
>   
>
> After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.
>
>   
>
> --- MOTION ENDS ---
>
>   
>
> This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:Underscores <https://github.com/wthayer/documents/commit/9926d75d0b9a1969034a25864741eae4421a51e5>
>
>   
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7-21 days)
> Start Time: 2018-10-26, 19:00 UTC
> End Time: 2018-11-02, 22:00 UTC
>
>
> Vote for approval (7 days)
> Start Time: 2018-11-02, 22:00 UTC
> End Time: 2018-11-09, 22:00 UTC
>
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181106/98bfa28d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3978 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181106/98bfa28d/attachment.p7s>