[Servercert-wg] Ballot SC12 - Sunset of Underscores in dNSNames

[Ryan Sleevi]

Google votes NO.

While appreciative of the goal of trying to find a sunset, we do not agree
that the Baseline Requirements should encourage contravention of the
long-standing normative requirements of RFC 5280 without significant
justification. Given that such non-compliance was identified quite some
time ago, any reasonable migration or sunset period can and should have
been accomplished by CAs.

Most concerning about this ballot is the risk that such material
non-compliance will be overlooked by auditors, undermining the level of
assurance provided to all certificate consumer members and the broader
community. This ballot removes transparency from the ecosystem, by virtue
of treating such activities as permissible in the BRs, thus preventing the
detection and mitigation of future issues. Equally concerning is the line
of reasoning that has been advanced that suggests that transitive
requirements are somehow not normative or binding, or that they are
reasonable for CAs to ignore. Given the security risks introduced by CAs in
the past through ignoring of transitive requirements, such as those found
in the X.680/X.690 or in the RFC 3447/8017 series, we are quite concerned
with such arguments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181109/4366090f/attachment.html>