[Servercert-wg] 回复： Ballot SC12 - Sunset of Underscores in dNSNames

Tue Nov 6 18:36:37 MST 2018

SHECA votes yes on Ballot SC12.

------------------
Regards，
Toria Chen
----------------

Chen Xiaotong  Dept. of Strategic Development
 Shanghai Electronic Certificate Authority Center Co.,Ltd.

------------------ 原始邮件 ------------------
发件人: "servercert-wg"<servercert-wg at cabforum.org>;
发送时间: 2018年11月3日(星期六) 上午6:10
收件人: "CA/B Forum Server Certificate WG Public Discuss收件人ion List"<servercert-wg at cabforum.org>;

主题: [Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames

Purpose of Ballot

Ballot  202 included a provision creating a permanent exception permitting the  underscore character to be used in SAN fields of type dNSName. Since  that ballot failed in 2017, the practice has continued despite being  non-compliant with RFC 5280. This ballot creates a brief sunset period  intended to allow Subscribers who are relying on FQDNs containing  underscores to transition away from them, either by changing the name or  deploying a wildcard certificate.

The following motion has been  proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon  and Tim Shirley of Trustwave.

--- MOTION BEGINS ---
Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):

Prior to April 1, 2019, certificates containing underscore  characters (“_”) in domain labels in dNSName entries MAY be issued as follows:* dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen  characters (“-“) would result in a valid domain label, and;
* Underscore characters MUST NOT be placed in the left most domain  label, and;

* Such certificates MUST NOT be valid for longer than 30 days.

All  certificates containing an underscore character in any dNSName entry  and having a validity period of more than 30 days MUST be revoked prior  to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.

--- MOTION ENDS ---

This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:Underscores

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: 2018-11-02, 22:00 UTC

Vote for approval (7 days)
Start Time: 2018-11-02, 22:00 UTC
End Time: 2018-11-09, 22:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181107/fa64b26e/attachment.html>