[Servercert-wg] Results on Ballot 202 – Underscore Character in SANs

Ryan Sleevi sleevi at google.com
Wed Sep 5 11:38:58 MST 2018

On Wed, Sep 5, 2018 at 2:26 PM Erwann Abalea via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Technically, it seems that IE drops cookies coming from hostnames
> containing underscores since 2009, and a recent Apache no longer recognises
> a ServerName containing an underscore, just to name a few.

Correct. It's a violation of the TLS specification to use such names within
the SNI TLS extension, as they are not valid hostnames.

https://cabforum.org/pipermail/public/2017-June/011210.html captures the
past position on the matter. As noted in DocuSign's own vote, there are a
number of great cleanups in 202 -
https://cabforum.org/pipermail/public/2017-July/011708.html - and because
of those significant clarifications, we were willing to permit their
issuance - although effort is underway to ensure Chrome will not connect to
such hosts nor validate such certs. Our vote YES was in favor of those much
needed clarifications, around IDNs, around reserved IPs, and around

To that end, the approach taken by Comodo CA operationally on this is
certainly the responsible one that all CAs should seek to emulate. Which is
to say - to take the ground that optimized interoperability and ecosystem
health over the sale of a few certificates to, as you suggest, legacy
customers running broken systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180905/18ca9f79/attachment.html>

More information about the Servercert-wg mailing list