[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

Fri Nov 9 07:19:03 MST 2018

Digidentity votes Yes.

Regards,

Sander

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Wayne Thayer via Servercert-wg <servercert-wg at cabforum.org>
Reply-To: Wayne Thayer <wthayer at mozilla.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Date: Friday, 2 November 2018 at 23:10
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: <EXT>[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type dNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

--- MOTION BEGINS ---
Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):

Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:
* dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
* Underscore characters MUST NOT be placed in the left most domain label, and;
* Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.

--- MOTION ENDS ---

This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: https://github.com/wthayer/documents/compare/master...wthayer:Underscores<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwthayer%2Fdocuments%2Fcommit%2F9926d75d0b9a1969034a25864741eae4421a51e5&data=01%7C01%7C%7C69c031b65ee34513a4c008d641100fbe%7Cc45b48f313bb448b9356ba7b863c2189%7C1&sdata=TPhdQgg5tl2EavV66oae6M6UHCsFkPPTiVw7%2BCKXDZw%3D&reserved=0>

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: 2018-11-02, 22:00 UTC

Vote for approval (7 days)
Start Time: 2018-11-02, 22:00 UTC
End Time: 2018-11-09, 22:00 UTC

Sander Remmerswaal | 
Chief Security Officer | Digidentity BV | Office: +31 (0) 88 778 7878
Waldorpstraat 17p | 2521CA The Hague | The Netherlands | Email: SRemmerswaal at digidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181109/1687340a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image720000.png
Type: image/png
Size: 7126 bytes
Desc: image720000.png
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181109/1687340a/attachment-0001.png>