[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Phillip philliph at comodo.com
Mon Oct 22 07:22:51 MST 2018

RFC 5280 was issued in 2008 when the DNS community had a very different understanding of the role of underscores. 


There was a faction devoted to the peculiar notion that the way to deploy DNSSEC was to force use of DNS features that would require the use of new RRs as a means of accelerating DNS deployment. That strategy is now moot.


Since the purpose of underscores in the current DNS architecture is now acknowledge to be to enable discovery of services by name as opposed to port number, it would seem that this is the right time to re-open this discussion and correct the earlier mistake.


CABForum has previously endorsed behaviors that are contrary to that specified in RFCs



The way to square this particular circle is to introduce a requirement that an application MUST NOT accept certificates for a name with a prefix that does not match the name of the service being provided. A Web Browser MUST NOT accept underscore DNS names other than _http._tcp.<domain> and _https._tcp.<domain>.


This approach enables underscores in SANs to be used to restrict use of certificates to particular protocols. _mmm._tcp.example.com would restrict use to a Mathematical Mesh service for example.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181022/fffdf6e2/attachment.html>

More information about the Servercert-wg mailing list