[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNa mes

realsky(CHT) realsky at cht.com.tw
Fri Nov 9 09:35:08 MST 2018

Chunghwa Telecom votes No to ballot SC12.


-----Original message-----
From:Bruce Morton via Servercert-wg<servercert-wg at cabforum.org>
To:Wayne Thayer<wthayer at mozilla.com>,CA/B Forum Server Certificate WG Public Discussion List<servercert-wg at cabforum.org>
Date: Fri, 09 Nov 2018 23:15:30
Subject: [外部郵件] Re: [Servercert-wg] [EXTERNAL] Ballot SC12 - Sunset of Underscores in dNSNames
Entrust votes No to ballot SC12.
We do agree that the issue for use of underscores needs to be resolved as to whether they are allowed or not allowed. However, this ballot does not address whether underscores can be used. The ballot assumes that underscores are not required. The ballot does not address the threat, nor does it justify the urgency to remove underscores. The urgency of removing underscores by decreasing validity period and revocation, does not give Subscribers sufficient time to change how they deploy their certificates.
From: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org]On Behalf Of Wayne Thayer via Servercert-wg
Sent: November 2, 2018 6:11 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL][Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames
WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

This begins the voting period for Ballot SC12 - Sunset of Underscores in dNSNames

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type dNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

Add the following language to BR section (Subject Alternative Name Extension):


Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:
* dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;

* Underscore characters MUST NOT be placed in the left most domain label, and;

*Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.


After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.




This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at:https://github.com/wthayer/documents/compare/master...wthayer:Underscores


The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: 2018-11-02, 22:00 UTC

Vote for approval (7 days)
Start Time: 2018-11-02, 22:00 UTC
End Time: 2018-11-09, 22:00 UTC

Servercert-wg mailing list
Servercert-wg at cabforum.org

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181110/4f2e6e32/attachment-0001.html>

More information about the Servercert-wg mailing list