[cabf_validation] Underscores, DNSNames, and SRVNames

Jeremy Rowley jeremy.rowley at digicert.com
Thu Oct 11 00:35:19 MST 2018

Where is it forbidden in the Mozilla policy 1.0, I ask realizing I’m walking into a trap…


I also liked how you added “reasonable” to ensure all other interpretations are considered unreasonable by default.


From: Validation <validation-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Validation
Sent: Wednesday, October 10, 2018 11:23 PM
To: Wayne Thayer <wthayer at mozilla.com>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Underscores, DNSNames, and SRVNames


I disagree that the existence of 3935 BR violating certificates is justified or a reason to change the BRs. If anything, it states that anything forbidden will be permitted, so long as you misissue enough of it. This is no different than if a CA were to issue 1024-bit RSA certificates in contravention of the BRs - there's no reasonable basis to change the BRs based on hardship that 'some' customers may face.


There is no reasonable basis to assume it's permitted, so CAs have (and have had) a responsibility to ensure that organizations are educated, and are aware that they cannot replace/renew these certificates. This is a failure, by CAs, to both adhere to the standards and to help their customers avoid disruption.


There's zero evidence to suggest it requires any form of sunset or delay. CAs should have stopped ages ago - because it's never been permitted. Unlike internal server names, this is not the result of some "technically correct, but semantically undesirable" process - Mozilla itself has forbidden this practice since 1.0 of its policy ( https://wiki.mozilla.org/CA:CertificatePolicyV1.0 ). I think that's a huge point that needs to be acknowledged by CAs - unlike RSA-1024, unlike SHA-1, unlike internal server names - there's no reasonable interpretation of the relevant RFCs to believe this has ever been permitted. At best, the only reason to believe permissiveness is because they haven't been taken to the carpet by auditors or browsers, but that's an unacceptable standard for CA operations and compliance - that you only have to comply when you get called out.


CAs should revoke these certificates. They should receive qualified audits for the issuance, and for the lack of revocation. Auditors that fail to acknowledge these 3935 certificates should be suspect, because there's no reasonable basis to believe the control objectives have been met.


On Thu, Oct 11, 2018 at 12:06 AM Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> > wrote:

According to crt.sh, 3935 certificates containing underscores have been issued in 2018 [1]. Characterizing this as an attempt to compromise with CAs ignores the fact that a lot of organizations apparently rely on such certs, and need education and time to fix the problem, much as they did with internal names. Was the internal name deprecation perfect? Obviously not. Did it succeed? Yes. You can ignore the reality of this situation and blame CAs and auditors for allowing it, but that doesn't solve the problem methodically.


- Wayne


[1] https://crt.sh/?cablint=62 <https://crt.sh/?cablint=62&minNotBefore=2018-01-01> &minNotBefore=2018-01-01


On Wed, Oct 10, 2018 at 6:46 PM Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > wrote:


On Wed, Oct 10, 2018 at 7:50 PM Wayne Thayer via Validation <validation at cabforum.org <mailto:validation at cabforum.org> > wrote:

Following up on the thread that Doug started [1] on reviving Ballot 202, I would summarize the current situation as follows:

* My memory of ballot 202 going down in flames for unrelated reasons was only partially correct. Erwann voiced a strong objection to violating standards and voted against, and Ryan later stated that his vote for that ballot was in spite of the exception permitting underscore characters in DNSNames.

* Later on in the thread that Doug started, Erwann pointed out specific implementations that do not tolerate underscores [2].

* While Comodo stated that they stopped issuing these certificates after the ballot failed, some CAs continue the practice [3].


As I stated on our last call, I'm unhappy with the current lack of clarity and consistency. Some of the options for fixing this are:

* Put forth another ballot creating an exception for this and see if it passes. (TBH, now that I've read the history on this issue, I would be inclined to vote against)

* Add language explicitly forbidding this to the BRs.

* Focus on adding support for SRVNames which would at least partially solve this problem in a standards-compliant fashion. Unfortunately, this breaks existing TCSCs in a way that is difficult to fix quickly [4] [5].


My proposal is this: Recognize the existence, use of, and reliance on certificates with underscores encoded in DNSNames much as we did with internal names. Update the BRs to explicitly permit issuance of these certificates for some sunset period with deadlines for ceasing new issuance and for revoking remaining certificates. I have Jan 1, 2020 in mind as the date after which new issuance is forbidden, with revocation of existing certificates required 1 year later, but we can debate this. We'll also have to decide if an exception process is really necessary.


As much as I appreciate the attempt at compromise, I think the discussion previously unquestionably highlighted for both auditors and CAs that such certificates are expressly forbidden by the relevant standards. Further, these certificates cannot be used with the SNI extension, as they violate the TLS specification.


Further, given that significant failure by a number of CAs to respond appropriately to both the sunset of issuance for internal server names and the revocation of existing internal server name certificates [1][2][3][4][5][6][7][8][9][10][11][12][13], an attempt at a sunset seems naive, at best. Given CAs' and auditors failure to follow the relevant decades-old RFCs, which have been clearly provided and are unambiguous in their support, and given CAs' failures to timely and effectively adhere to previous sunsets - c.f. internal server names and SHA-1 certificates - we can see no reason to support a sunset.


With respect to auditors, it's unconscionable to not see this as a failure of the controls to ensure Criterion 7.1 of the WebTrust for CAs, Criterion 2.1 of the WebTrust for CAs - SSL Baseline, GEN-6.6.1-01 of ETSI EN 319 411-1, and that of Section 4.1 of ETSI EN 319 412-4. There is no supported interpretation that an auditor can take that reasonable assurance or compliance, as appropriate, has been met with such certificates, nor can there be reasonable assurance that controls exist and are functioning properly.


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1335132

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1389172

[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1397963

[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1397960

[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1495524

[6] https://bugzilla.mozilla.org/show_bug.cgi?id=1390977

[7] https://bugzilla.mozilla.org/show_bug.cgi?id=1393557

[8] https://bugzilla.mozilla.org/show_bug.cgi?id=1391058

[9] https://bugzilla.mozilla.org/show_bug.cgi?id=1390974

[10] https://bugzilla.mozilla.org/show_bug.cgi?id=1391074

[11] https://bugzilla.mozilla.org/show_bug.cgi?id=1391067

[12] https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/CfyeeybBz9c/lmmUT4x2CAAJ

[13] https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/D0poUHqiYMw/Pf5p0kB7CAAJ








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181011/a070f7ab/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20181011/a070f7ab/attachment-0001.p7s>

More information about the Validation mailing list