[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Blunt, Dave dblunt at amazon.com
Thu Oct 25 15:58:38 MST 2018

Wayne – I’ll endorse.


From: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] On Behalf Of Wayne Thayer via Servercert-wg
Sent: Thursday, October 25, 2018 1:50 PM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames


Here is an updated draft ballot that reflects discussion on the list and this morning's call.


It was pointed out that - even if the discussion period starts today and is kept to 7 days - this ballot won't become effective until roughly 8-December, and of course there are concerns with mandating revocations during holiday change freezes, so I moved the revocation date from 1-December to 15-January.


I also fixed the logic forbidding underscores when a wildcard can be used.


I'm still looking for two endorsers.


- Wayne


Ballot SC## - Sunset of Underscores in DNSNames

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type DNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by xxx of yyy and xxx of yyy.

Add the following language to BR section (Subject Alternative Name Extension):


Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in DNSName entries MAY be issued as follows:

* DNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;

* Underscore characters MUST NOT be placed in the left most domain label, and;

* Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any DNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.


After April 30, 2019, underscore characters (“_”) MUST NOT be present in DNSName entries.




This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: <TBD>


The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-xx, 7:00 am Eastern Time
End Time: Not before 2018-11-xx, 7:00 am Eastern Time

Vote for approval (7 days)
Start Time: 2018-xx-xx, 7:00 am Eastern Time
End Time: 2018-xx-xx, 7:00 am Eastern Time

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181025/94a69880/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5540 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181025/94a69880/attachment-0001.p7s>

More information about the Servercert-wg mailing list