[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Wayne Thayer wthayer at mozilla.com
Thu Oct 25 13:50:13 MST 2018 

Here is an updated draft ballot that reflects discussion on the list and
this morning's call.

It was pointed out that - even if the discussion period starts today and is
kept to 7 days - this ballot won't become effective until roughly
8-December, and of course there are concerns with mandating revocations
during holiday change freezes, so I moved the revocation date from
1-December to 15-January.

I also fixed the logic forbidding underscores when a wildcard can be used.

I'm still looking for two endorsers.

- Wayne

Ballot SC## - Sunset of Underscores in DNSNames

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting
the underscore character to be used in SAN fields of type DNSName. Since
that ballot failed in 2017, the practice has continued despite being
non-compliant with RFC 5280. This ballot creates a brief sunset period
intended to allow Subscribers who are relying on FQDNs containing
underscores to transition away from them, either by changing the name or
deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by xxx of yyy and xxx of yyy.

--- MOTION BEGINS ---
Add the following language to BR section 7.1.4.2.1 (Subject Alternative
Name Extension):

Prior to April 1, 2019, certificates containing underscore characters (“_”)
in domain labels in DNSName entries MAY be issued as follows:
* DNSName entries MAY include underscore characters such that replacing all
underscore characters with hyphen characters (“-“) would result in a valid
domain label, and;
* Underscore characters MUST NOT be placed in the left most domain label,
and;
* Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any DNSName entry
and having a validity period of more than 30 days MUST be revoked prior to
January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in
DNSName entries.

--- MOTION ENDS ---

This ballot proposes a Final Maintenance Guideline. A comparison of the
changes can be found at: <TBD>

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-xx, 7:00 am Eastern Time
End Time: Not before 2018-11-xx, 7:00 am Eastern Time

Vote for approval (7 days)
Start Time: 2018-xx-xx, 7:00 am Eastern Time
End Time: 2018-xx-xx, 7:00 am Eastern Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181025/438a1c1a/attachment.html>

More information about the Servercert-wg mailing list