CA/Browser Forum
Home » Posts » Ballot SC12: Sunset of Underscores in dNSNames

Ballot SC12: Sunset of Underscores in dNSNames

The voting period for Ballot SC12 has ended and the Ballot has Passed. Here are the results:

Voting by Certificate Issuers – 23 votes total including abstentions

  • 20 Yes votes: Actalis, Amazon, Buypass, Camerfirma, Certum (Asseco), Sectigo (former Comodo CA), D-TRUST, DigiCert, Digidentity, DocuSign France, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, QuoVadis, SHECA,, TWCA, Trustwave
  • 2 No votes: Chunghwa Telecom, Entrust Datacard
  • 1 Abstain: TrustCor

91% of voting Certificate Issuers voted in favor.

Voting by Certificate Consumers – 6 votes total including abstentions

  • 4 Yes votes: Apple, Comodo Security Solutions, Cisco, Mozilla
  • 2 No votes: Google, Microsoft
  • 0 Abstain:

67% of voting Certificate Consumers voted in favor

Relevant Bylaw references

Bylaw 2.3(f) requires:

  • a “yes” vote by two-thirds of Certificate Issuer votes and 50%-plus-one Certificate Consumer votes for approval. Votes to abstain are not counted for this purpose. This requirement was met for both Certificate Issuers and Certificate Consumers.
  • at least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was also met.

Under Bylaw 2.3(g), “a ballot result will be considered valid only when more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining a quorum. Half of currently active Members as of the start of voting was 10, so quorum was 11 votes – quorum was met.

Purpose of Ballot

Ballot 202 included a provision creating a permanent exception permitting the underscore character to be used in SAN fields of type dNSName. Since that ballot failed in 2017, the practice has continued despite being non-compliant with RFC 5280. This ballot creates a brief sunset period intended to allow Subscribers who are relying on FQDNs containing underscores to transition away from them, either by changing the name or deploying a wildcard certificate.

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

Motion begins

Add the following language to BR section (Subject Alternative Name Extension):

Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:

  • dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
  • Underscore characters MUST NOT be placed in the left most domain label, and;
  • Such certificates MUST NOT be valid for longer than 30 days.

All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.

Motion ends

This ballot proposes a Final Maintenance Guideline. A comparison of the changes can be found at:…wthayer:Underscores

The procedure for approval of this ballot is as follows:

Discussion (7-21 days) Start Time: 2018-10-26, 19:00 UTC End Time: 2018-11-02, 22:00 UTC

Vote for approval (7 days) Start Time: 2018-11-02, 22:00 UTC End Time: 2018-11-09, 22:00 UTC

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).