[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

Wed Nov 7 17:43:01 MST 2018

TWCA votes Yes on ballot SC12

Thanks,
Robin Lin (Wei Tsong Lin)
CSSLP®
Project Manager
CA Research and Developing Department
TAIWAN-CA INC.
TEL：+886-2-2370-8886 ext. 721
FAX：+886-2-2370-0728
E-mail：robin.lin at twca.com.tw<mailto:robin.lin at twca.com.tw>
[cid:image001.png at 01D4773F.0E052450]
10th Floor, 85 Yenping South Road, 10043 Taipei, Taiwan
http://www.twca.com.tw<http://www.twca.com.tw/>

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Saturday, November 3, 2018 6:11 AM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type dNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

--- MOTION BEGINS ---
Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):

Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:
* dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
* Underscore characters MUST NOT be placed in the left most domain label, and;
* Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.

--- MOTION ENDS ---

This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:Underscores<https://github.com/wthayer/documents/commit/9926d75d0b9a1969034a25864741eae4421a51e5>

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: 2018-11-02, 22:00 UTC

Vote for approval (7 days)
Start Time: 2018-11-02, 22:00 UTC
End Time: 2018-11-09, 22:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181108/056d4171/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 9139 bytes
Desc: image001.png
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181108/056d4171/attachment-0001.png>