[Servercert-wg] Results on Ballot 202 – Underscore Character in SANs

Wed Sep 5 05:34:03 MST 2018

We also support this.

-Tim

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Tuesday, September 4, 2018 7:27 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Results on Ballot 202 – Underscore Character in SANs

I agree with your assessment Doug, and I think it would be great to get this fixed. I've got a few other ballots in my queue, but I would be happy to take a crack at this if no one else gets to it first.

Wayne

On Tue, Sep 4, 2018 at 1:27 PM Doug Beattie via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

Given Ballot 202 failed last year, is issuing certificates with underscore in them considered a misissuance?  It’s not compliant with RFC 5280, but it’s listed just as a warning by the linters (and verbally agreed among many that it’s acceptable).  

https://crt.sh/?cablint=issues shows 136 certificates issued with underscores in the past week.

It’s unfortunate the ballot failed for unrelated issues because I think we all agreed that underscores were OK, but technically it seems like they are misissuances.  

Doug

From: Public <public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> > On Behalf Of Kirk Hall via Public
Sent: Wednesday, July 26, 2017 6:30 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Subject: [cabfpub] Results on Ballot 202 – Underscore Character in SANs

Results on Ballot 202 – Underscore Character in SANs

The voting period for Ballot 202 has ended, and the ballot has failed.  Here are the results.

Voting by CAs – 19 votes total, including abstentions

12 Yes votes: Actalis, Amazon, Cisco, Comodo, DigiCert, Disig, HARICA, Let's Encrypt, QuoVadis, Symantec, TrustCor, Trustwave

7 No votes: Buypass, CFCA, DocuSign France, Entrust, GDCA, GlobalSign, SHECA

0 Abstain: 

63% of voting CAs voted in favor

Voting by browsers – 3 votes total, including abstentions

3 Yes votes: Apple, Google, Mozilla

0 No votes: 

0 Abstain: 

100% of voting browsers voted in favor

Under Bylaw 2.2(g), a ballot result will be considered valid only when more than half of the number of currently active Members has participated. Votes to abstain are counted in determining a quorum.  Half of currently active Members as of the start of voting is 10, so quorum was 11 votes.  22 votes (including abstentions) were cast – quorum was met.  

At least one CA Member and one browser Member must vote in favor of a ballot for the ballot to be adopted.  This requirement was met.

Bylaw 2.2(f) requires a yes vote by two-thirds of CA votes and 50%-plus-one browser votes for approval.  Votes to abstain are not counted for this purpose.  This requirement was met for browsers but was not met for CAs.  

Ballot 202 fails.

_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org> 
http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180905/0415e78e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180905/0415e78e/attachment.p7s>