On Sat, Dec 29, 2018 at 02:40:10PM -0800, Lewis Resmond via dev-security-policy wrote: > I am not 100% sure, but I have read that underscores can exist in domain > names: > https://stackoverflow.com/questions/2180465/can-domain-name-subdomains-have-an-underscore-in-it
Correct, but irrelevant for the purposes of this discussion. > In another thread of this newsgroup, I saw a list of certificates to be > revoked because of the underscore issue. And they had underscore domain > names in it, either in CN or DNS-Names. Correct. > So, I wonder, what's the whole forbit-underscore-certificates about? If > there are domains out there with underscores, why do you want exclude them > from being able to use TLS? Because a TLS client doesn't identify the endpoint with which to establish a connection by resolving a domain name, it does so by resolving a host name, which is a different beast, and which has different rules around what characters are valid -- rules which happen to exclude underscores from the list of permitted characters. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy