[Servercert-wg] 回复: Ballot SC12 - Sunset of Underscores in dNSNames

陈晓曈 chenxiaotong at sheca.com
Tue Nov 6 18:36:37 MST 2018

SHECA votes yes on Ballot SC12.

Toria Chen

Chen Xiaotong  Dept. of Strategic Development
 Shanghai Electronic Certificate Authority Center Co.,Ltd.

------------------ 原始邮件 ------------------
发件人: "servercert-wg"<servercert-wg at cabforum.org>;
发送时间: 2018年11月3日(星期六) 上午6:10
收件人: "CA/B Forum Server Certificate WG Public Discuss收件人ion List"<servercert-wg at cabforum.org>;

主题: [Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames

Purpose of Ballot

Ballot  202 included a provision creating a permanent exception permitting the  underscore character to be used in SAN fields of type dNSName. Since  that ballot failed in 2017, the practice has continued despite being  non-compliant with RFC 5280. This ballot creates a brief sunset period  intended to allow Subscribers who are relying on FQDNs containing  underscores to transition away from them, either by changing the name or  deploying a wildcard certificate.

The following motion has been  proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon  and Tim Shirley of Trustwave.

Add the following language to BR section (Subject Alternative Name Extension):

Prior to April 1, 2019, certificates containing underscore  characters (“_”) in domain labels in dNSName entries MAY be issued as follows:* dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen  characters (“-“) would result in a valid domain label, and;
* Underscore characters MUST NOT be placed in the left most domain  label, and;

* Such certificates MUST NOT be valid for longer than 30 days.

All  certificates containing an underscore character in any dNSName entry  and having a validity period of more than 30 days MUST be revoked prior  to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.


This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:Underscores

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: 2018-11-02, 22:00 UTC

Vote for approval (7 days)
Start Time: 2018-11-02, 22:00 UTC
End Time: 2018-11-09, 22:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181107/fa64b26e/attachment.html>

More information about the Servercert-wg mailing list