Wayne, many thanks for drawing the attention of the CAs to this matter. Sectigo (formerly Comodo CA) stopped issuing certificates with underscores in dNSNames soon after CABForum ballot 202 failed. A search of our CA database this week found 251 certificates that are in scope for the BRs, expire on or after 15th January 2019, and that have at least one underscore in a dNSName.
To track Sectigo's progress towards the 15th January 2019 revocation deadline, I've created a new batch on Alex Gaynor's excellent Revocation Tracker: https://misissued.com/batch/41/ On 12/11/2018 23:18, Wayne Thayer via dev-security-policy wrote: > As you may be aware, the CA/Browser Forum recently passed ballot SC12 [1] > creating a sunset period for TLS certificates containing an underscore > ("_") character in the SAN. This practice was widespread until a year ago > when it was pointed out that underscore characters are not permitted in > dNSName name forms, and ballot 202 was proposed to create an exception to > RFC 5280 that would allow the practice to continue. When that ballot > failed, some CAs stopped allowing underscore characters in SANs and others > continued. Ballot SC12 is intended to resolve this inconsistency and > provide clear guidance to auditors. > > The sunset period defined by ballot SC12 is very short. Today Mozilla sent > an email to all CAs in our program informing them of this change and asking > them to take any steps necessary to comply [2]. > > - Wayne > > [1] > https://cabforum.org/2018/11/12/ballot-sc-12-sunset-of-underscores-in-dnsnames/ > [2] > https://wiki.mozilla.org/CA/Communications#November_2018_CA_Communication_.28Underscores_in_dNSNames.29 -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
