[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames
Tim Shirley
TShirley at trustwave.com
Fri Oct 26 11:06:01 MST 2018
Trustwave would be happy to endorse.
From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Wayne Thayer via Servercert-wg <servercert-wg at cabforum.org>
Reply-To: Wayne Thayer <wthayer at mozilla.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Date: Thursday, October 25, 2018 at 4:50 PM
To: "doug.beattie at globalsign.com" <doug.beattie at globalsign.com>
Cc: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames
Here is an updated draft ballot that reflects discussion on the list and this morning's call.
It was pointed out that - even if the discussion period starts today and is kept to 7 days - this ballot won't become effective until roughly 8-December, and of course there are concerns with mandating revocations during holiday change freezes, so I moved the revocation date from 1-December to 15-January.
I also fixed the logic forbidding underscores when a wildcard can be used.
I'm still looking for two endorsers.
- Wayne
Ballot SC## - Sunset of Underscores in DNSNames
Purpose of Ballot
Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type DNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.
The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by xxx of yyy and xxx of yyy.
--- MOTION BEGINS ---
Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):
Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in DNSName entries MAY be issued as follows:
* DNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
* Underscore characters MUST NOT be placed in the left most domain label, and;
* Such certificates MUST NOT be valid for longer than 30 days.
All certificates containing an underscore character in any DNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.
After April 30, 2019, underscore characters (“_”) MUST NOT be present in DNSName entries.
--- MOTION ENDS ---
This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at: <TBD>
The procedure for approval of this ballot is as follows:
Discussion (7-21 days)
Start Time: 2018-10-xx, 7:00 am Eastern Time
End Time: Not before 2018-11-xx, 7:00 am Eastern Time
Vote for approval (7 days)
Start Time: 2018-xx-xx, 7:00 am Eastern Time
End Time: 2018-xx-xx, 7:00 am Eastern Time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181026/c05cb8f6/attachment.html>
More information about the Servercert-wg
mailing list