As you may be aware, the CA/Browser Forum recently passed ballot SC12 [1]
creating a sunset period for TLS certificates containing an underscore
("_") character in the SAN. This practice was widespread until a year ago
when it was pointed out that underscore characters are not permitted in
dNSName name forms, and ballot 202 was proposed to create an exception to
RFC 5280 that would allow the practice to continue. When that ballot
failed, some CAs stopped allowing underscore characters in SANs and others
continued. Ballot SC12 is intended to resolve this inconsistency and
provide clear guidance to auditors.The sunset period defined by ballot SC12 is very short. Today Mozilla sent an email to all CAs in our program informing them of this change and asking them to take any steps necessary to comply [2]. - Wayne [1] https://cabforum.org/2018/11/12/ballot-sc-12-sunset-of-underscores-in-dnsnames/ [2] https://wiki.mozilla.org/CA/Communications#November_2018_CA_Communication_.28Underscores_in_dNSNames.29 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
