On Mon, Nov 12, 2018 at 6:18 PM Man Ho via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> When the ballot said "... would result in a valid domain label", does it > mean that "... would result in a valid domain name of the applicant, > that has passed the same level of domain authorization (DV, OV, EV) check? > > No, this does not mean that the CA needs to perform domain validation on the FQDN with underscores replaced by hyphens. It means that underscores are only permitted in certain positions within the domain label, as discussed in the lead-up to ballot 202 (this language is copied directly from ballot 202). For example: https://cabforum.org/pipermail/public/2017-May/011186.html Secondly, is it necessary for CAs to state their practice of handling > underscore domain name in CPS? > > No, that is not a Mozilla requirement. - Man Ho > > On 11/13/2018 7:18 AM, Wayne Thayer via dev-security-policy wrote: > > As you may be aware, the CA/Browser Forum recently passed ballot SC12 [1] > > creating a sunset period for TLS certificates containing an underscore > > ("_") character in the SAN. This practice was widespread until a year ago > > when it was pointed out that underscore characters are not permitted in > > dNSName name forms, and ballot 202 was proposed to create an exception to > > RFC 5280 that would allow the practice to continue. When that ballot > > failed, some CAs stopped allowing underscore characters in SANs and > others > > continued. Ballot SC12 is intended to resolve this inconsistency and > > provide clear guidance to auditors. > > > > The sunset period defined by ballot SC12 is very short. Today Mozilla > sent > > an email to all CAs in our program informing them of this change and > asking > > them to take any steps necessary to comply [2]. > > > > - Wayne > > > > [1] > > > https://cabforum.org/2018/11/12/ballot-sc-12-sunset-of-underscores-in-dnsnames/ > > [2] > > > https://wiki.mozilla.org/CA/Communications#November_2018_CA_Communication_.28Underscores_in_dNSNames.29 > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
