[Servercert-wg] [EXTERNAL]Re: Results on Ballot 202 – Underscore Character in SANs

Robin Alden robin.alden at comodoca.com
Wed Sep 5 06:17:12 MST 2018


We’d support the ballot as well.

We stopped issuing certificates with underscores in SANs after the ballot failed.  It seemed indefensible to continue to issue them once it had been balloted and the ballot had failed.

I had expected an angry-mob-O-gram by now from the usual quarter.

 

Robin Alden
CTO for SSL

Email:  <mailto:Robin.Alden at ComodoCA.com> Robin.Alden at ComodoCA.com 

Office & Cell: US  908.800.0434 Ext 3003

Office & Cell: UK  01274 024706

 

This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately. 

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Bruce Morton via Servercert-wg
Sent: 05 September 2018 14:06
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Wayne Thayer <wthayer at mozilla.com>; Doug Beattie <doug.beattie at globalsign.com>
Subject: Re: [Servercert-wg] [EXTERNAL]Re: Results on Ballot 202 – Underscore Character in SANs

 

We support this as well.

 

Bruce.

 

From: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] On Behalf Of Tim Hollebeek via Servercert-wg
Sent: September 5, 2018 8:34 AM
To: Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> >; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >; Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> >
Subject: [EXTERNAL]Re: [Servercert-wg] Results on Ballot 202 – Underscore Character in SANs

 

We also support this.

 

-Tim

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org <mailto:servercert-wg-bounces at cabforum.org> > On Behalf Of Wayne Thayer via Servercert-wg
Sent: Tuesday, September 4, 2018 7:27 PM
To: Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> >; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Subject: Re: [Servercert-wg] Results on Ballot 202 – Underscore Character in SANs

 

I agree with your assessment Doug, and I think it would be great to get this fixed. I've got a few other ballots in my queue, but I would be happy to take a crack at this if no one else gets to it first.

 

Wayne

 

 

On Tue, Sep 4, 2018 at 1:27 PM Doug Beattie via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

Given Ballot 202 failed last year, is issuing certificates with underscore in them considered a misissuance?  It’s not compliant with RFC 5280, but it’s listed just as a warning by the linters (and verbally agreed among many that it’s acceptable).  

https://crt.sh/?cablint=issues shows 136 certificates issued with underscores in the past week.

It’s unfortunate the ballot failed for unrelated issues because I think we all agreed that underscores were OK, but technically it seems like they are misissuances.  

Doug

 

From: Public <public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> > On Behalf Of Kirk Hall via Public
Sent: Wednesday, July 26, 2017 6:30 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Subject: [cabfpub] Results on Ballot 202 – Underscore Character in SANs

 

Results on Ballot 202 – Underscore Character in SANs

 

The voting period for Ballot 202 has ended, and the ballot has failed.  Here are the results.

 

Voting by CAs – 19 votes total, including abstentions

 

12 Yes votes: Actalis, Amazon, Cisco, Comodo, DigiCert, Disig, HARICA, Let's Encrypt, QuoVadis, Symantec, TrustCor, Trustwave

7 No votes: Buypass, CFCA, DocuSign France, Entrust, GDCA, GlobalSign, SHECA

0 Abstain: 

63% of voting CAs voted in favor

 

Voting by browsers – 3 votes total, including abstentions

 

3 Yes votes: Apple, Google, Mozilla

0 No votes: 

0 Abstain: 

100% of voting browsers voted in favor

 

Under Bylaw 2.2(g), a ballot result will be considered valid only when more than half of the number of currently active Members has participated. Votes to abstain are counted in determining a quorum.  Half of currently active Members as of the start of voting is 10, so quorum was 11 votes.  22 votes (including abstentions) were cast – quorum was met.  

 

At least one CA Member and one browser Member must vote in favor of a ballot for the ballot to be adopted.  This requirement was met.

 

Bylaw 2.2(f) requires a yes vote by two-thirds of CA votes and 50%-plus-one browser votes for approval.  Votes to abstain are not counted for this purpose.  This requirement was met for browsers but was not met for CAs.  

 

Ballot 202 fails.

 

 

_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org> 
http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180905/abb464fd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7461 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180905/abb464fd/attachment-0001.p7s>


More information about the Servercert-wg mailing list