Hello! It would be helpful, if the CA/B or Mozilla could publish a document on its web pages to which we can redirect our customers, if they have technical questions about this underscore issue. Right now, I can only tell them, that they are forbidden because the ballot to explicitly allow them failed, but not really why. Especially since the first result in Google for "underscore domain name" is a StackOverflow article (https://stackoverflow.com/a/2183140/1426535) stating that it is technically perfectly okay and also RFC 5280 says "These characters [underscore and at-sign] often appear in Internet addresses. Such addresses MUST be encoded using an ASN.1 type that supports them."
With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > -----Ursprüngliche Nachricht----- > Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im > Auftrag von rahat3858--- via dev-security-policy > Gesendet: Montag, 10. Dezember 2018 01:45 > An: mozilla-dev-security-pol...@lists.mozilla.org > Betreff: Re: CA Communication: Underscores in dNSNames > > On Monday, November 12, 2018 at 3:19:17 PM UTC-8, Wayne Thayer wrote: > > As you may be aware, the CA/Browser Forum recently passed ballot SC12 > > [1] creating a sunset period for TLS certificates containing an > > underscore > > ("_") character in the SAN. This practice was widespread until a year > > ago when it was pointed out that underscore characters are not > > permitted in dNSName name forms, and ballot 202 was proposed to create > > an exception to RFC 5280 that would allow the practice to continue. > > When that ballot failed, some CAs stopped allowing underscore > > characters in SANs and others continued. Ballot SC12 is intended to > > resolve this inconsistency and provide clear guidance to auditors. > > > > The sunset period defined by ballot SC12 is very short. Today Mozilla > > sent an email to all CAs in our program informing them of this change > > and asking them to take any steps necessary to comply [2]. > > > > - Wayne > > > > [1] > > https://cabforum.org/2018/11/12/ballot-sc-12-sunset-of-underscores-in- > > dnsnames/ > > [2] > > https://wiki.mozilla.org/CA/Communications#November_2018_CA_Communicat > > ion_.28Underscores_in_dNSNames.29 > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy