[cabf_validation] Underscores, DNSNames, and SRVNames

Wayne Thayer wthayer at mozilla.com
Wed Oct 10 16:50:28 MST 2018

Following up on the thread that Doug started [1] on reviving Ballot 202, I
would summarize the current situation as follows:
* My memory of ballot 202 going down in flames for unrelated reasons was
only partially correct. Erwann voiced a strong objection to violating
standards and voted against, and Ryan later stated that his vote for that
ballot was in spite of the exception permitting underscore characters in
* Later on in the thread that Doug started, Erwann pointed out specific
implementations that do not tolerate underscores [2].
* While Comodo stated that they stopped issuing these certificates after
the ballot failed, some CAs continue the practice [3].

As I stated on our last call, I'm unhappy with the current lack of clarity
and consistency. Some of the options for fixing this are:
* Put forth another ballot creating an exception for this and see if it
passes. (TBH, now that I've read the history on this issue, I would be
inclined to vote against)
* Add language explicitly forbidding this to the BRs.
* Focus on adding support for SRVNames which would at least partially solve
this problem in a standards-compliant fashion. Unfortunately, this breaks
existing TCSCs in a way that is difficult to fix quickly [4] [5].

My proposal is this: Recognize the existence, use of, and reliance on
certificates with underscores encoded in DNSNames much as we did with
internal names. Update the BRs to explicitly permit issuance of these
certificates for some sunset period with deadlines for ceasing new issuance
and for revoking remaining certificates. I have Jan 1, 2020 in mind as the
date after which new issuance is forbidden, with revocation of existing
certificates required 1 year later, but we can debate this. We'll also have
to decide if an exception process is really necessary.

I would further suggest that we update the BRs to permit SRVNames, and to
include provisions for technically constraining SRVNames in all newly
issued TCSCs. Of course this doesn't mean that browsers will add SRVName
support as long as there are TCSCs without SRVName constraints, but at
least this allows CAs to support non-browser use cases while beginning the
transition to TCSCs with SRVName constraints.

If we have time during the subcommittee F2F, I'd like to discuss this.

- Wayne

[1] https://cabforum.org/pipermail/servercert-wg/2018-September/000172.html
[2] https://cabforum.org/pipermail/servercert-wg/2018-September/000179.html
[3] https://crt.sh/?cablint=62
[4] https://cabforum.org/pipermail/public/2017-November/012477.html
[5] https://cabforum.org/pipermail/public/2017-October/012445.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181010/7e23c6a9/attachment.html>

More information about the Validation mailing list