[Servercert-wg] Results on Ballot 202 – Underscore Character in SANs

Doug Beattie doug.beattie at globalsign.com
Tue Sep 4 13:27:27 MST 2018

Given Ballot 202 failed last year, is issuing certificates with underscore
in them considered a misissuance?  It's not compliant with RFC 5280, but
it's listed just as a warning by the linters (and verbally agreed among many
that it's acceptable).  

https://crt.sh/?cablint=issues shows 136 certificates issued with
underscores in the past week.

It's unfortunate the ballot failed for unrelated issues because I think we
all agreed that underscores were OK, but technically it seems like they are



From: Public <public-bounces at cabforum.org> On Behalf Of Kirk Hall via Public
Sent: Wednesday, July 26, 2017 6:30 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [cabfpub] Results on Ballot 202 - Underscore Character in SANs


Results on Ballot 202 - Underscore Character in SANs


The voting period for Ballot 202 has ended, and the ballot has failed.  Here
are the results.


Voting by CAs - 19 votes total, including abstentions


12 Yes votes: Actalis, Amazon, Cisco, Comodo, DigiCert, Disig, HARICA, Let's
Encrypt, QuoVadis, Symantec, TrustCor, Trustwave

7 No votes: Buypass, CFCA, DocuSign France, Entrust, GDCA, GlobalSign, SHECA

0 Abstain: 

63% of voting CAs voted in favor


Voting by browsers - 3 votes total, including abstentions


3 Yes votes: Apple, Google, Mozilla

0 No votes: 

0 Abstain: 

100% of voting browsers voted in favor


Under Bylaw 2.2(g), a ballot result will be considered valid only when more
than half of the number of currently active Members has participated. Votes
to abstain are counted in determining a quorum.  Half of currently active
Members as of the start of voting is 10, so quorum was 11 votes.  22 votes
(including abstentions) were cast - quorum was met.  


At least one CA Member and one browser Member must vote in favor of a ballot
for the ballot to be adopted.  This requirement was met.


Bylaw 2.2(f) requires a yes vote by two-thirds of CA votes and 50%-plus-one
browser votes for approval.  Votes to abstain are not counted for this
purpose.  This requirement was met for browsers but was not met for CAs.  


Ballot 202 fails.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180904/8717c746/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5736 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180904/8717c746/attachment.p7s>

More information about the Servercert-wg mailing list