[Servercert-wg] Ballot SC12 - Sunset of Underscores in DNSNames

Wayne Thayer wthayer at mozilla.com
Fri Oct 26 14:46:03 MST 2018


Dimitris kindly pointed out that 'DNSName' should be 'dNSName'. Here is a
corrected ballot:

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting
the underscore character to be used in SAN fields of type dNSName. Since
that ballot failed in 2017, the practice has continued despite being
non-compliant with RFC 5280. This ballot creates a brief sunset period
intended to allow Subscribers who are relying on FQDNs containing
underscores to transition away from them, either by changing the name or
deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

--- MOTION BEGINS ---
Add the following language to BR section 7.1.4.2.1 (Subject Alternative
Name Extension):

Prior to April 1, 2019, certificates containing underscore characters (“_”)
in domain labels in dNSName entries MAY be issued as follows:
* dNSName entries MAY include underscore characters such that replacing all
underscore characters with hyphen characters (“-“) would result in a valid
domain label, and;
* Underscore characters MUST NOT be placed in the left most domain label,
and;
* Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any dNSName entry
and having a validity period of more than 30 days MUST be revoked prior to
January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in
dNSName entries.

--- MOTION ENDS ---

This ballot proposes a Final Maintenance Guideline. A comparison of the
changes can be found at:
https://github.com/wthayer/documents/compare/master...wthayer:Underscores
<https://github.com/wthayer/documents/commit/9926d75d0b9a1969034a25864741eae4421a51e5>

The procedure for approval of this ballot is as follows:

Discussion (7-21 days)
Start Time: 2018-10-26, 19:00 UTC
End Time: Not before 2018-11-02, 22:00 UTC

Vote for approval (7 days)
Start Time: 2018-11-xx, 22:00 UTC
End Time: 2018-11-xx, 22:00 UTC

On Fri, Oct 26, 2018 at 11:59 AM Wayne Thayer <wthayer at mozilla.com> wrote:

> This begins the review period for Ballot SC12 - Sunset of Underscores in
> DNSNames
>
> Purpose of Ballot
>
> Ballot 202 included a provision creating a permanent exception permitting
> the underscore character to be used in SAN fields of type DNSName. Since
> that ballot failed in 2017, the practice has continued despite being
> non-compliant with RFC 5280. This ballot creates a brief sunset period
> intended to allow Subscribers who are relying on FQDNs containing
> underscores to transition away from them, either by changing the name or
> deploying a wildcard certificate.
>
> The following motion has been proposed by Wayne Thayer of Mozilla and
> endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.
>
> --- MOTION BEGINS ---
> Add the following language to BR section 7.1.4.2.1 (Subject Alternative
> Name Extension):
>
> Prior to April 1, 2019, certificates containing underscore characters
> (“_”) in domain labels in DNSName entries MAY be issued as follows:
> * DNSName entries MAY include underscore characters such that replacing
> all underscore characters with hyphen characters (“-“) would result in a
> valid domain label, and;
> * Underscore characters MUST NOT be placed in the left most domain label,
> and;
> * Such certificates MUST NOT be valid for longer than 30 days.
>
> All certificates containing an underscore character in any DNSName entry
> and having a validity period of more than 30 days MUST be revoked prior to
> January 15, 2019.
>
> After April 30, 2019, underscore characters (“_”) MUST NOT be present in
> DNSName entries.
>
> --- MOTION ENDS ---
>
> This ballot proposes a Final Maintenance Guideline. A comparison of the
> changes can be found at:
> https://github.com/wthayer/documents/commit/9926d75d0b9a1969034a25864741eae4421a51e5
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7-21 days)
> Start Time: 2018-10-26, 19:00 UTC
> End Time: Not before 2018-11-02, 19:00 UTC
>
> Vote for approval (7 days)
> Start Time: 2018-11-xx, 19:00 UTC
> End Time: 2018-11-xx, 19:00 UTC
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181026/0e51d8f2/attachment-0001.html>


More information about the Servercert-wg mailing list