[Servercert-wg] Results on Ballot 202 – Underscore Character in SANs

Wed Sep 5 11:26:42 MST 2018

Bonjour,

The fact that the linters only emit a warning is not a good reason to accept that practice. The linters don’t define what is allowed or not, they are coded based on a combination of what is acceptable, unacceptable, tolerated, bad-practice-but-used-in-the-field, etc.

Underscores in hostnames are equivalent to putting the FQDN of a web server in the CN attribute. A bad practice coming from pre-2K.

Technically, it seems that IE drops cookies coming from hostnames containing underscores since 2009, and a recent Apache no longer recognises a ServerName containing an underscore, just to name a few.

That limitation to LDH-only for hostnames was defined by RFC1034, slightly modified by RFC1123, accepted in RFC2296 and RFC3986 for the definition of the « host » in an URI, kept in RFC2616 and RFC7540 (HTTP 1/1 and HTTP/2), kept in RFC2821 and RFC5321 (SMTP), repeated in X.509 (even edition 8, which refers to RFC5890 clause 2.3.1), and RFC2782 (SRV records) added the underscore precisely to avoid collisions with hostnames, ...

Cordialement,
Erwann Abalea

Le 5 sept. 2018 à 14:34, Tim Hollebeek via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> a écrit :

We also support this.

-Tim

From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Tuesday, September 4, 2018 7:27 PM
To: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: Re: [Servercert-wg] Results on Ballot 202 – Underscore Character in SANs

I agree with your assessment Doug, and I think it would be great to get this fixed. I've got a few other ballots in my queue, but I would be happy to take a crack at this if no one else gets to it first.

Wayne

On Tue, Sep 4, 2018 at 1:27 PM Doug Beattie via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
Given Ballot 202 failed last year, is issuing certificates with underscore in them considered a misissuance?  It’s not compliant with RFC 5280, but it’s listed just as a warning by the linters (and verbally agreed among many that it’s acceptable).
https://crt.sh/?cablint=issues shows 136 certificates issued with underscores in the past week.
It’s unfortunate the ballot failed for unrelated issues because I think we all agreed that underscores were OK, but technically it seems like they are misissuances.
Doug

From: Public <public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>> On Behalf Of Kirk Hall via Public
Sent: Wednesday, July 26, 2017 6:30 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: [cabfpub] Results on Ballot 202 – Underscore Character in SANs

Results on Ballot 202 – Underscore Character in SANs

The voting period for Ballot 202 has ended, and the ballot has failed.  Here are the results.

Voting by CAs – 19 votes total, including abstentions

12 Yes votes: Actalis, Amazon, Cisco, Comodo, DigiCert, Disig, HARICA, Let's Encrypt, QuoVadis, Symantec, TrustCor, Trustwave
7 No votes: Buypass, CFCA, DocuSign France, Entrust, GDCA, GlobalSign, SHECA
0 Abstain:
63% of voting CAs voted in favor

Voting by browsers – 3 votes total, including abstentions

3 Yes votes: Apple, Google, Mozilla
0 No votes:
0 Abstain:
100% of voting browsers voted in favor

Under Bylaw 2.2(g), a ballot result will be considered valid only when more than half of the number of currently active Members has participated. Votes to abstain are counted in determining a quorum.  Half of currently active Members as of the start of voting is 10, so quorum was 11 votes.  22 votes (including abstentions) were cast – quorum was met.

At least one CA Member and one browser Member must vote in favor of a ballot for the ballot to be adopted.  This requirement was met.

Bylaw 2.2(f) requires a yes vote by two-thirds of CA votes and 50%-plus-one browser votes for approval.  Votes to abstain are not counted for this purpose.  This requirement was met for browsers but was not met for CAs.

Ballot 202 fails.

_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
http://cabforum.org/mailman/listinfo/servercert-wg
_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180905/d4e6d0d8/attachment-0001.html>