[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Ryan Sleevi sleevi at google.com
Tue Oct 23 17:32:09 MST 2018

On Tue, Oct 23, 2018 at 12:52 PM Wayne Thayer <wthayer at mozilla.com> wrote:

> Otherwise, I think the following ballot language captures your
> requirements:
> ==================
> Prior to October 1, 2019, certificates containing underscore characters
> (“_”) in domain labels in DNSName entries MAY be issued as follows:
> * DNSName entries MAY include underscore characters in the left most
> domain label such that replacing all underscore characters with hyphen
> characters (“-“) would result in a valid domain label, and;
> * Such certificates MUST NOT be valid for longer than 30 days.
> All certificates containing an underscore character in any DNSName entry
> and having a validity period of more than 30 days MUST be revoked prior to
> March 1, 2019.
> After October 31, 2019, underscore characters (“_”) MUST NOT be present in
> DNSName entries.

It doesn't capture the requirements. In particular, it means that the
ecosystem will not begin transitioning until March 1, 2019. New customers
will have headaches, but existing customers - the ones being presupposed as
most 'at risk' - will not have any meaningful awareness or begin any
meaningful migration until March 1, 2019.

Concrete numbers would look at March 1 -> Dec 1, 2018 and October 1, 2019
-> April 1, 2019.

The move to Dec 1, 2018 is the one and only thing that will signal to
existing users the need to migrate and to meaningfully begin those efforts.
The move to Apr 1, 2019 is because we're talking about what it would take
for a total of 166 domain names to migrate. We don't need 12 months for
that. Even 90 days is generous - but if we accept that Western-centric view
that Christmas, Boxing Day, and Thanksgiving holidays are "important" and
folks can't make changes - then it still allows them 90 days after their
production freeze.

However, as an approach, it still retroactively blesses the practice. Can
you help me understand why the BRs need to say this, rather than the
Mozilla Program requirements?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181023/7abf7594/attachment.html>

More information about the Servercert-wg mailing list