[cabf_validation] Ballot 202: The Return

Corey Bonnell Corey.Bonnell at digicert.com
Fri Jun 11 14:26:09 UTC 2021 

Hello,

As you all know, Ballot 202 [1] failed a few years ago and since then there
are certain areas where requirements are unclear. To address these issues, I
drafted a ballot here: https://github.com/cabforum/servercert/pull/285.

 

In summary, there are three normative changes:

 

Effective immediately upon passage:

*	Prohibition on Unicode representation ("U-labels") of Domain Labels
in subject CN

 

Proposed effective October 1st, 2021:

*	All Domain Labels that begin with "xn--"must be followed by valid
output of the Punycode encoding algorithm.
*	Domain Labels that have hyphens as the third and fourth characters
must have "xn" (case insensitive) as the first two characters (e.g.,
"zz-foo" is not allowed).

 

Judging from some analysis of CT logs, the prohibition on U-labels and
XN-labels with invalid Punycode output affects very few certificates (~100
valid certificates in CT). The prohibition on non-XN-label Reserved LDH
labels will be more impactful (several thousand certificates).

 

Ryan has provided feedback on the ballot text (thanks!) on Github and also
raised the question whether this ballot should be incorporated in the
profiles ballot. My thinking is that we should propose this separately, as
doing so will reduce the number of normative changes introduced by the
profiles ballot, which will make it easier for CAs to process and update
their operations accordingly. Additionally, all the concepts proposed in
this ballot have been previously discussed during Ballot 202 discussion, so
this ballot is essentially "self-contained". I am interested to hear what
the group thinks, both in terms of whether this work should be incorporated
in the profiles ballot, and on the draft ballot content itself (especially
effective dates).

 

Thanks,

Corey

 

[1]
https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210611/37847dc1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210611/37847dc1/attachment.p7s>

More information about the Validation mailing list