[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Wayne Thayer wthayer at mozilla.com
Tue Oct 23 21:07:03 MST 2018


On Tue, Oct 23, 2018 at 5:32 PM Ryan Sleevi <sleevi at google.com> wrote:

>
> On Tue, Oct 23, 2018 at 12:52 PM Wayne Thayer <wthayer at mozilla.com> wrote:
>
>> Otherwise, I think the following ballot language captures your
>> requirements:
>> ==================
>>
>> Prior to October 1, 2019, certificates containing underscore characters
>> (“_”) in domain labels in DNSName entries MAY be issued as follows:
>> * DNSName entries MAY include underscore characters in the left most
>> domain label such that replacing all underscore characters with hyphen
>> characters (“-“) would result in a valid domain label, and;
>> * Such certificates MUST NOT be valid for longer than 30 days.
>>
>> All certificates containing an underscore character in any DNSName entry
>> and having a validity period of more than 30 days MUST be revoked prior to
>> March 1, 2019.
>>
>> After October 31, 2019, underscore characters (“_”) MUST NOT be present
>> in DNSName entries.
>>
>
> It doesn't capture the requirements. In particular, it means that the
> ecosystem will not begin transitioning until March 1, 2019. New customers
> will have headaches, but existing customers - the ones being presupposed as
> most 'at risk' - will not have any meaningful awareness or begin any
> meaningful migration until March 1, 2019.
>
> In not responding to my questions about the whitelist, are you accepting
my position or just pocketing that to use as a point of contention later on?

Concrete numbers would look at March 1 -> Dec 1, 2018 and October 1, 2019
> -> April 1, 2019.
>
> In your previous message you said the suggestion was 3 months for complete
revocation of existing certificates. Starting from the time this ballot can
be ratified, I get to roughly March 1st. And you said complete sunset <=1y,
which I again thought I had adopted. How do you square these proposed dates
with your prior statements?

The move to Dec 1, 2018 is the one and only thing that will signal to
> existing users the need to migrate and to meaningfully begin those efforts.
> The move to Apr 1, 2019 is because we're talking about what it would take
> for a total of 166 domain names to migrate. We don't need 12 months for
> that. Even 90 days is generous - but if we accept that Western-centric view
> that Christmas, Boxing Day, and Thanksgiving holidays are "important" and
> folks can't make changes - then it still allows them 90 days after their
> production freeze.
>
> However, as an approach, it still retroactively blesses the practice. Can
> you help me understand why the BRs need to say this, rather than the
> Mozilla Program requirements?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181023/c695a780/attachment.html>


More information about the Servercert-wg mailing list