[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

Wed Nov 7 01:50:11 MST 2018

Izenpe votes YES on ballot SC12

Regards

.eus gara !
horregatik orain nire helbide elektronikoa da:
por eso mi dirección de correo electrónico ahora es:  o-garcia at izenpe.eus<mailto:o-garcia at izenpe.eus>

Oscar García
CISSP, CISM

[Descripción: firma_email_Izenpe_eus]

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

[cid:image001.png at 01D2DDEC.B8FB6830]

De: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] En nombre de Wayne Thayer via Servercert-wg
Enviado el: viernes, 02 de noviembre de 2018 23:11
Para: CA/B Forum Server Certificate WG Public Discussion List
Asunto: [Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type dNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

--- MOTION BEGINS ---
Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):

Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:
* dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
* Underscore characters MUST NOT be placed in the left most domain label, and;
* Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.

--- MOTION ENDS ---

This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:Underscores<https://github.com/wthayer/documents/commit/9926d75d0b9a1969034a25864741eae4421a51e5>

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: 2018-11-02, 22:00 UTC

Vote for approval (7 days)
Start Time: 2018-11-02, 22:00 UTC
End Time: 2018-11-09, 22:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181107/5a7ad1f9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9540 bytes
Desc: image001.jpg
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181107/5a7ad1f9/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23964 bytes
Desc: image002.png
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181107/5a7ad1f9/attachment-0001.png>