[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

Neil Dunbar ndunbar at trustcorsystems.com
Wed Nov 7 05:49:13 MST 2018


TrustCor ABSTAINS on ballot SC12

Our DNS validation does not allow underscores in names, and we feel that continued practice of non-compliant issue, post ballot 202 failure is unfortunate.

Regards,

Neil

> On 2 Nov 2018, at 22:10, Wayne Thayer via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames
> 
> Purpose of Ballot
> 
> Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type dNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.
> 
> The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.
> 
> --- MOTION BEGINS ---
> Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):
> 
> Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:
> * dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
> * Underscore characters MUST NOT be placed in the left most domain label, and;
> * Such certificates MUST NOT be valid for longer than 30 days.
> 
> All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.
> 
> After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.
> 
> --- MOTION ENDS ---
> 
> This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:Underscores <https://github.com/wthayer/documents/commit/9926d75d0b9a1969034a25864741eae4421a51e5>
> 
> The procedure for approval of this ballot is as follows:
> 
> Discussion (7-21 days)
> Start Time: 2018-10-26, 19:00 UTC
> End Time: 2018-11-02, 22:00 UTC
> 
> Vote for approval (7 days)
> Start Time: 2018-11-02, 22:00 UTC
> End Time: 2018-11-09, 22:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181107/231e1362/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181107/231e1362/attachment.sig>


More information about the Servercert-wg mailing list