[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

Wojciech Trapczyński wojciech.trapczynski at assecods.pl
Thu Nov 8 01:52:41 MST 2018 

Certum votes Yes on Ballot SC12.

-Wojciech Trapczyński

On 02.11.2018 23:10, Wayne Thayer via Servercert-wg wrote:
> This begins the voting period for Ballot SC12 - Sunset of Underscores in 
> dNSNames
> 
> Purpose of Ballot
> 
> Ballot 202 included a provision creating a permanent exception 
> permitting the underscore character to be used in SAN fields of type 
> dNSName. Since that ballot failed in 2017, the practice has continued 
> despite being non-compliant with RFC 5280. This ballot creates a brief 
> sunset period intended to allow Subscribers who are relying on FQDNs 
> containing underscores to transition away from them, either by changing 
> the name or deploying a wildcard certificate.
> 
> The following motion has been proposed by Wayne Thayer of Mozilla and 
> endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.
> 
> --- MOTION BEGINS ---
> Add the following language to BR section 7.1.4.2.1 (Subject Alternative 
> Name Extension):
> 
> Prior to April 1, 2019, certificates containing underscore characters 
> (“_”) in domain labels in dNSName entries MAY be issued as follows:
> * dNSName entries MAY include underscore characters such that replacing 
> all underscore characters with hyphen characters (“-“) would result in a 
> valid domain label, and;
> * Underscore characters MUST NOT be placedin the left most domain label, 
> and;
> * Such certificates MUST NOT be valid for longer than 30 days.
> 
> All certificates containing an underscore character in any dNSName entry 
> and having a validity period of more than 30 days MUST be revoked prior 
> to January 15, 2019.
> 
> After April 30, 2019, underscore characters (“_”) MUST NOT be present in 
> dNSName entries.
> 
> --- MOTION ENDS ---
> 
> This ballot proposes a Final Maintenance Guideline. A comparison of the 
> changes can be found at: 
> https://github.com/wthayer/documents/compare/master...wthayer:Underscores <https://github.com/wthayer/documents/commit/9926d75d0b9a1969034a25864741eae4421a51e5>
> 
> The procedure for approval of this ballot is as follows:
> 
> Discussion (7-21 days)
> Start Time: 2018-10-26, 19:00 UTC
> End Time: 2018-11-02, 22:00 UTC
> 
> Vote for approval (7 days)
> Start Time: 2018-11-02, 22:00 UTC
> End Time: 2018-11-09, 22:00 UTC
> 
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3785 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181108/058f3543/attachment.p7s>

More information about the Servercert-wg mailing list