[cabf_validation] Underscores, DNSNames, and SRVNames

Ryan Sleevi sleevi at google.com
Wed Oct 10 22:23:07 MST 2018

I disagree that the existence of 3935 BR violating certificates is
justified or a reason to change the BRs. If anything, it states that
anything forbidden will be permitted, so long as you misissue enough of it.
This is no different than if a CA were to issue 1024-bit RSA certificates
in contravention of the BRs - there's no reasonable basis to change the BRs
based on hardship that 'some' customers may face.

There is no reasonable basis to assume it's permitted, so CAs have (and
have had) a responsibility to ensure that organizations are educated, and
are aware that they cannot replace/renew these certificates. This is a
failure, by CAs, to both adhere to the standards and to help their
customers avoid disruption.

There's zero evidence to suggest it requires any form of sunset or delay.
CAs should have stopped ages ago - because it's never been permitted.
Unlike internal server names, this is not the result of some "technically
correct, but semantically undesirable" process - Mozilla itself has
forbidden this practice since 1.0 of its policy (
https://wiki.mozilla.org/CA:CertificatePolicyV1.0 ). I think that's a huge
point that needs to be acknowledged by CAs - unlike RSA-1024, unlike SHA-1,
unlike internal server names - there's no reasonable interpretation of the
relevant RFCs to believe this has ever been permitted. At best, the only
reason to believe permissiveness is because they haven't been taken to the
carpet by auditors or browsers, but that's an unacceptable standard for CA
operations and compliance - that you only have to comply when you get
called out.

CAs should revoke these certificates. They should receive qualified audits
for the issuance, and for the lack of revocation. Auditors that fail to
acknowledge these 3935 certificates should be suspect, because there's no
reasonable basis to believe the control objectives have been met.

On Thu, Oct 11, 2018 at 12:06 AM Wayne Thayer <wthayer at mozilla.com> wrote:

> According to crt.sh, 3935 certificates containing underscores have been
> issued in 2018 [1]. Characterizing this as an attempt to compromise with
> CAs ignores the fact that a lot of organizations apparently rely on such
> certs, and need education and time to fix the problem, much as they did
> with internal names. Was the internal name deprecation perfect? Obviously
> not. Did it succeed? Yes. You can ignore the reality of this situation and
> blame CAs and auditors for allowing it, but that doesn't solve the problem
> methodically.
> - Wayne
> [1] https://crt.sh/?cablint=62&minNotBefore=2018-01-01
> On Wed, Oct 10, 2018 at 6:46 PM Ryan Sleevi <sleevi at google.com> wrote:
>> On Wed, Oct 10, 2018 at 7:50 PM Wayne Thayer via Validation <
>> validation at cabforum.org> wrote:
>>> Following up on the thread that Doug started [1] on reviving Ballot 202,
>>> I would summarize the current situation as follows:
>>> * My memory of ballot 202 going down in flames for unrelated reasons was
>>> only partially correct. Erwann voiced a strong objection to violating
>>> standards and voted against, and Ryan later stated that his vote for that
>>> ballot was in spite of the exception permitting underscore characters in
>>> DNSNames.
>>> * Later on in the thread that Doug started, Erwann pointed out specific
>>> implementations that do not tolerate underscores [2].
>>> * While Comodo stated that they stopped issuing these certificates after
>>> the ballot failed, some CAs continue the practice [3].
>>> As I stated on our last call, I'm unhappy with the current lack of
>>> clarity and consistency. Some of the options for fixing this are:
>>> * Put forth another ballot creating an exception for this and see if it
>>> passes. (TBH, now that I've read the history on this issue, I would be
>>> inclined to vote against)
>>> * Add language explicitly forbidding this to the BRs.
>>> * Focus on adding support for SRVNames which would at least partially
>>> solve this problem in a standards-compliant fashion. Unfortunately, this
>>> breaks existing TCSCs in a way that is difficult to fix quickly [4] [5].
>>> My proposal is this: Recognize the existence, use of, and reliance on
>>> certificates with underscores encoded in DNSNames much as we did with
>>> internal names. Update the BRs to explicitly permit issuance of these
>>> certificates for some sunset period with deadlines for ceasing new issuance
>>> and for revoking remaining certificates. I have Jan 1, 2020 in mind as the
>>> date after which new issuance is forbidden, with revocation of existing
>>> certificates required 1 year later, but we can debate this. We'll also have
>>> to decide if an exception process is really necessary.
>> As much as I appreciate the attempt at compromise, I think the discussion
>> previously unquestionably highlighted for both auditors and CAs that such
>> certificates are expressly forbidden by the relevant standards. Further,
>> these certificates cannot be used with the SNI extension, as they violate
>> the TLS specification.
>> Further, given that significant failure by a number of CAs to respond
>> appropriately to both the sunset of issuance for internal server names and
>> the revocation of existing internal server name certificates
>> [1][2][3][4][5][6][7][8][9][10][11][12][13], an attempt at a sunset seems
>> naive, at best. Given CAs' and auditors failure to follow the relevant
>> decades-old RFCs, which have been clearly provided and are unambiguous in
>> their support, and given CAs' failures to timely and effectively adhere to
>> previous sunsets - c.f. internal server names and SHA-1 certificates - we
>> can see no reason to support a sunset.
>> With respect to auditors, it's unconscionable to not see this as a
>> failure of the controls to ensure Criterion 7.1 of the WebTrust for CAs,
>> Criterion 2.1 of the WebTrust for CAs - SSL Baseline, GEN-6.6.1-01 of ETSI
>> EN 319 411-1, and that of Section 4.1 of ETSI EN 319 412-4. There is no
>> supported interpretation that an auditor can take that reasonable assurance
>> or compliance, as appropriate, has been met with such certificates, nor can
>> there be reasonable assurance that controls exist and are functioning
>> properly.
>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1335132
>> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1389172
>> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1397963
>> [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1397960
>> [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1495524
>> [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1390977
>> [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1393557
>> [8] https://bugzilla.mozilla.org/show_bug.cgi?id=1391058
>> [9] https://bugzilla.mozilla.org/show_bug.cgi?id=1390974
>> [10] https://bugzilla.mozilla.org/show_bug.cgi?id=1391074
>> [11] https://bugzilla.mozilla.org/show_bug.cgi?id=1391067
>> [12]
>> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ
>> [13]
>> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181011/b8eec592/attachment.html>

More information about the Validation mailing list