[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

[Ryan Sleevi]

Just to capture actual numbers from CT:

For all the hand-wringing here, I see a total of 3957 unexpired
(certificates && pre-certificates combined) in a recent CT dump, 993 of
which were issued in 2018. Of that, nearly a quarter were issued
on-or-after 2018-09-01 (269), which seems to suggest a disproportionate
increase.

If I look to only consider pre-certificates issued after 2018-05-01,
however, that number goes much smaller - 289 certificates issued since
then.

If we look at those customers who have an underscore in a second-label or
later (i.e. those that can't just go to a wildcard), then the total number
of distinct DNS names is 166.

Because that list is so small and easy to represent, it's included, in
full, below, along with the issuer certificates Organization field (note:
this is extracted as-is, without additional verification of a chain to a
trust anchor)

dns_name issuer_organization
ftp.aetna_sg.bswift.net Aetna Inc
cws.bks_group.ccms.worksap.co.jp AffirmTrust
cwsmb.bks_group.ccms.worksap.co.jp AffirmTrust
cwskm.bks_group.ccms.worksap.co.jp AffirmTrust
appee.gccloudpms_qa.ihg.com COMODO CA Limited
order.public_yoshop.com.trunk.s1cg.egomsl.com COMODO CA Limited
cart.public_yoshop.com.trunk.s1cg.egomsl.com COMODO CA Limited
www.mfa_us.gdls.com COMODO CA Limited
*.development-na01-pgatoursuperstore_com.cc-ecdn.net COMODO CA Limited
www.sancus_crm.omegabigdata.com COMODO CA Limited
*.production-na01-pgatoursuperstore_com.cc-ecdn.net COMODO CA Limited
www.w0lxqrad_qa01.worldbank.org COMODO CA Limited
www.mymas_st_dc2.avivagroup.com COMODO CA Limited
www.mymas_pv_dc3.avivagroup.com COMODO CA Limited
_collab-edge._tls.dufferincounty.ca COMODO CA Limited
www.mymas_rw_dc3.avivagroup.com COMODO CA Limited
appff.gccloudpms_qa.ihg.com COMODO CA Limited
*.production-web-oneill_com.cc-ecdn.net COMODO CA Limited
www.mymas_pp_dc2.avivagroup.com COMODO CA Limited
www.office_eygelshoven.laurametaal.nl COMODO CA Limited
www.mfa_cdn.gdls.com COMODO CA Limited
appcc.gccloudpms_qa.ihg.com COMODO CA Limited
*.development-web-oneill_com.cc-ecdn.net COMODO CA Limited
www.mymas_pd_dc3.avivagroup.com COMODO CA Limited
www.office_maastricht.laurametaal.nl COMODO CA Limited
www.pfeiffer_sic.eisen-pfeiffer.de COMODO CA Limited
www.mymas_pd_dc2.avivagroup.com COMODO CA Limited
_collab-edge._tls.tohelpeveryone.org COMODO CA Limited
_collab-edge._tls.sbk-vs.de D-Trust GmbH
_collab-edge._tls.sait.ca DigiCert Inc
dev.map_gw.tsc-tc.com DigiCert Inc
n18.vpod_sdu.atlas.ericsson.se DigiCert Inc
_collab-edge._tls.inc.com.kw DigiCert Inc
ree.lak_scls.sandbox.kohalibrary.com DigiCert Inc
www.mysequoia_campingledauphin.mysequoia.fr DigiCert Inc
dr.test_2_6_17.dstcorp.net DigiCert Inc
dev.esp_ca.tsc-tc.com DigiCert Inc
dr.test_1_6_17.dstcorp.net DigiCert Inc
pro.esgwsa_2018.hp.com DigiCert Inc
_xmpp-server._tcp.conference-2-standalonecluster02f20.evsc.k12.in.us DigiCert
Inc
itg.esgwsa_2018.hp.com DigiCert Inc
col.lak_scls.sandbox.kohalibrary.com DigiCert Inc
itg.esgwsa_20_18.hp.com DigiCert Inc
_collab-edge._tls.fnbhutch.bank DigiCert Inc
_autodiscover._tcp.uges.k12.wi.us DigiCert Inc
_collab-edge._tls.pentanasolutions.com DigiCert Inc
_sip._tcp.sait.ca DigiCert Inc
_collab-edge._tls.oglobal.net DigiCert Inc
2917.content.network_1917.edog.msft.net DigiCert Inc
_collab-edge._tls.uowdubai.ac.ae DigiCert Inc
328.pmachine.zone_328.edog.msft.net DigiCert Inc
mad.lak_scls.sandbox.kohalibrary.com DigiCert Inc
OMGEOLLC_PROD_VERSION_1.0.0_MESSAGING.OMGEO.NET DigiCert Inc
_xmpp-server._tcp.evsc.k12.in.us DigiCert Inc
_sips._tcp.sait.ca DigiCert Inc
58.97.74.121_1.pim.ac.th DigiCert Inc
www.Grad_Office_Program_Tracking.birg.unbc.ca DigiCert Inc
_collab-edge._tls.sohar-aluminium.com DigiCert Inc
OMGEOLLC_CONNECT_PROD_VERSION_1.0.0_MESSAGING.OMGEO.NET DigiCert Inc
rsch-pp.baml.com_ext.bankofamerica.com DigiCert Inc
dev.poi_ap.tsc-tc.com DigiCert Inc
_autodiscover._tcp.medic911.com DigiCert Inc
www.virt_psc-eng-devops-dev-02.cloudsimple.us DigiCert Inc
www.ProvincialPatientTransfer_Dev.birg.unbc.ca DigiCert Inc
_collab-edge._tls.clarkbuilders.com DigiCert Inc
322.pmachine.zone_322.edog.msft.net DigiCert Inc
dev.poi_nv.tsc-tc.com DigiCert Inc
dev.esp_ci.tsc-tc.com DigiCert Inc
_collab-edge._tls.pwc-id.com DigiCert Inc
collab-edge._tls.overstock.com DigiCert Inc
_collab-edge._tls.sequenom.com DigiCert Inc
dev.traffic_contribution.pnop.tsc-tc.com DigiCert Inc
dev.esp_hd.tsc-tc.com DigiCert Inc
_collab-edge._tls.missouricitytx.gov DigiCert Inc
ld5-vpn.rsa_adm.accenture.com DigiCert Inc
ibmwebspheremqequity.zeus_qm5.citi.com DigiCert Inc
327.pmachine.zone_327.edog.msft.net DigiCert Inc
www.certnow_prd.absa.co.za Entrust, Inc.
www.MPS2_WATERPLUS_RT_B2B_2.water-plus.co.uk Entrust, Inc.
www.aims_test.kdads.ks.gov Entrust, Inc.
cernvcukeaodrpvip.cern_vcuk.cernuk.com Entrust, Inc.
*.cern_vcuk.cernuk.com Entrust, Inc.
www.wc847_87_5.dbn.nscorp.com Entrust, Inc.
www.BMW_BO_PROD.EPSILON.COM Entrust, Inc.
www.test_poc-ext.qa.kpmg.com Entrust, Inc.
cphycprmeds01.cphy_pr.cernerasp.com Entrust, Inc.
mqp.nri_istar_ipt_prod.bankofamerica.com Entrust, Inc.
www.sdc20_dev.pfizer.com Entrust, Inc.
www.STS_TEST_CERT.epsilon.com Entrust, Inc.
www.m2txmbmo_prd.traxmarkets.com GoDaddy.com, Inc.
www.emrxhca_uat.hcahospicecare.org.sg GoDaddy.com, Inc.
www.fts_test.prxix.net GoDaddy.com, Inc.
www.m2txmmizuho_prd.traxmarkets.com GoDaddy.com, Inc.
www.wasakredit_test.ttps.peritum.se GoDaddy.com, Inc.
www.jtixchange_web.demo.ca.com GoDaddy.com, Inc.
www.lincoln_cam.psislab.com GoDaddy.com, Inc.
www.ingim62t_brst.voyainvestments.com GoDaddy.com, Inc.
www.ezpcr_3.actionambulance.com GoDaddy.com, Inc.
www.traps_esm.ams.net GoDaddy.com, Inc.
www.ccsc_share.kratosdefense.com GoDaddy.com, Inc.
www.ssc_gwifi.ychss.org.hk GoDaddy.com, Inc.
www.drc_archive.osisa.org GoDaddy.com, Inc.
www.vpn_m1.avanda.sg GoDaddy.com, Inc.
www.expw_e_altex.grupoaltex.com GoDaddy.com, Inc.
www.pfe_171003.modushealth.com GoDaddy.com, Inc.
www.onlineerp_api.solution.quebec GoDaddy.com, Inc.
www.m2txmstate_prd.traxmarkets.com GoDaddy.com, Inc.
www.cvc_db_srvr.cvchospital.com GoDaddy.com, Inc.
www.xen_ws_arcportal_prod.twfghome.com GoDaddy.com, Inc.
www.vpn_dr.avanda.sg GoDaddy.com, Inc.
www.pfe_171003-dev.modushealth.com GoDaddy.com, Inc.
www.jtixchange_web.ca.com GoDaddy.com, Inc.
www.temm_qaf.practiaconsulting.com GoDaddy.com, Inc.
www.dblmain_t.xxjxctc.com GoDaddy.com, Inc.
www.kyc_iden.numobile.io GoDaddy.com, Inc.
www.cp_guest2_cp.sccgov.org GoDaddy.com, Inc.
www.vpn_dr.jcsco.com GoDaddy.com, Inc.
www.live_web.destructopiam.trypotstudios.com GoDaddy.com, Inc.
www.msg_dc.msgservice.net GoDaddy.com, Inc.
www.imp_wifi.collegealma.ca GoDaddy.com, Inc.
www.ess_vss_combo.co.monterey.ca.us GoDaddy.com, Inc.
www.sfb_access.paragon-cc.co.uk GoDaddy.com, Inc.
www.ss_scus.shieldsquare.net GoDaddy.com, Inc.
www.old_remote.massmovement.com GoDaddy.com, Inc.
www.xen_ws_arcportal_dev.twfghome.com GoDaddy.com, Inc.
www.community_sandbox.campusmanagement.com GoDaddy.com, Inc.
www.blue_test.nwpretail.com GoDaddy.com, Inc.
www.goldpro_qas.goldenland.co.th GoDaddy.com, Inc.
www.ahtportal_texas.prioritymgt.com GoDaddy.com, Inc.
www.api_enforce.apisppin.com GoDaddy.com, Inc.
enterpriseregistration.ttsc_banora.twintowns.com.au GoDaddy.com, Inc.
www.m2txmrbs_prd.traxmarkets.com GoDaddy.com, Inc.
www.api_chatbot.quimicasuiza.com GoDaddy.com, Inc.
www.ctrl_inlap.lima-airport.com GoDaddy.com, Inc.
www.clientes_proco.roadtrack.mx GoDaddy.com, Inc.
www.tms_healthscope.registry.org.au QuoVadis Limited
www.tms_patient.registry.org.au QuoVadis Limited
www.registry.mein_makler.daum-group.de Starfield Technologies, Inc.
registry.mein_makler.daum-group.de Starfield Technologies, Inc.
www.poc_vdi.whitecube.com.br Starfield Technologies, Inc.
www.mein_makler.daum-group.de Starfield Technologies, Inc.
www.login.mein_makler.daum-group.de Starfield Technologies, Inc.
www.gatehouse-ufss_uat.sutherlandglobal.com Starfield Technologies, Inc.
login.mein_makler.daum-group.de Starfield Technologies, Inc.
rkm.Infomanager_2019.vzwcorp.com Symantec Corporation
korea.dc001.daejeon_atlas1.ericsson.se Symantec Corporation
GTAEMEFD_QM.DIT_qmv75.nam.nsroot.net Symantec Corporation
prod.ihp.akamai_origin.iop.qbop.intuit.com Symantec Corporation
atlas.raso_lab.poc.ericsson.se Symantec Corporation
atlas.cscf_cee205.ericsson.se Symantec Corporation
GTAEMEFD_QM02.SIT_qmv75.nam.nsroot.net Symantec Corporation
test_15.4_enroll.cvs.com Symantec Corporation
rkm.EPS_2018.vzwcorp.com Symantec Corporation
ctrl.raso_lab.poc.ericsson.se Symantec Corporation
rkm.Smart_2018.vzwcorp.com Symantec Corporation
korea.dc001.daejeon_ctrl1.ericsson.se Symantec Corporation
rkm.BES_2018.vzw.com Symantec Corporation
OMGEOLLC_CONNECT_CT_VERSION_1.0.0_MESSAGING.OMGEO.NET Symantec Corporation
GTAEMEFD_QM01.SIT_qmv75.nam.nsroot.net Symantec Corporation
_sip._tls.polac.cz TERENA
www.pfyziol_mysl.upol.cz TERENA
securelogin.lycee4_0.ac-reims.fr TERENA
_sipfederationtls._tcp.polac.cz TERENA
aurora.kevf_d1.troja.mff.cuni.cz TERENA
www.pfyziol_klin.upol.cz TERENA
001.1000000007.udo_mueller.merchantaccount.paysafecard.com thawte, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181022/43cd7f6a/attachment-0001.html>