[cabf_validation] Underscores, DNSNames, and SRVNames

Jeremy Rowley jeremy.rowley at digicert.com
Thu Oct 11 02:17:28 MST 2018

Why? Would it change your mind? It’s probably an unreasonable argument. 

Plus we already stopped issuing certs with underscore characters. The writing is on the wall on this one so the main question for me is how should we prevent having this discussion again in another two years? 


From: Ryan Sleevi <sleevi at google.com> 
Sent: Thursday, October 11, 2018 3:02 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org>; Wayne Thayer <wthayer at mozilla.com>
Subject: Re: [cabf_validation] Underscores, DNSNames, and SRVNames



On Thu, Oct 11, 2018 at 4:57 AM Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

“Incorrect extensions” is hardly prohibitive of underscore characters especially where the only mention of underscores is 5280 is:


   When the subjectAltName extension contains a domain name system

   label, the domain name MUST be stored in the dNSName (an IA5String).

   The name MUST be in the "preferred name syntax", as specified by

   Section 3.5 of [RFC1034] and as modified by Section 2.1 of



plus the BRs All Certificates

All other fields and extensions MUST be set in accordance with RFC 5280. 


Can you remind me again where there's any possible interpretation of the above that would result in underscores being permitted?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181011/4a08a5c5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20181011/4a08a5c5/attachment.p7s>

More information about the Validation mailing list