[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

Jos Purvis (jopurvis) jopurvis at cisco.com
Thu Nov 8 21:03:09 MST 2018 

Cisco votes YES on SC12.

 

 

-- 
Jos Purvis (jopurvis at cisco.com)
.:|:.:|:. cisco systems  | Cryptographic Services
PGP: 0xFD802FEE07D19105  | +1 919.991.9114 (desk)

 

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Wayne Thayer via Servercert-wg <servercert-wg at cabforum.org>
Reply-To: Wayne Thayer <wthayer at mozilla.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Date: Friday, 2 November, 2018 at 15:11 
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

 

This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames

 

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type dNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

--- MOTION BEGINS ---
Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):

 

Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows: 

* dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;

* Underscore characters MUST NOT be placed in the left most domain label, and;

* Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

 

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.

 

--- MOTION ENDS ---

 

This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:Underscores

 

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: 2018-11-02, 22:00 UTC


Vote for approval (7 days)
Start Time: 2018-11-02, 22:00 UTC
End Time: 2018-11-09, 22:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181109/2041310f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2095 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181109/2041310f/attachment-0001.p7s>

More information about the Servercert-wg mailing list