← CABF Ballot Browser
SC-012 passed

Ballot SC012: Sunset of Underscores in dNSNames

Server Certificate Working Group

Key dates

Effective date
30 Apr 2019 7 years ago
Voting opened
02 Nov 2018 7 years ago
Voting closed
09 Nov 2018 7 years ago
Discussion opened
26 Oct 2018 7 years ago
Discussion closed
02 Nov 2018 7 years ago

AI Summary

Generated 2026-06-23 21:24 UTC

Ballot overview

  • Ballot SC012, Sunset of Underscores in dNSNames, was reported as passed.
  • The ballot was a Final Maintenance Guideline.
  • It was intended to create a brief sunset period for subscribers using FQDNs containing underscores so they could transition away from them.

Voting results

  • Certificate Issuers: 23 votes total including abstentions; 20 yes, 2 no, 1 abstain.
  • Certificate Consumers: 6 votes total including abstentions; 4 yes, 2 no, 0 abstain.
  • The ballot page states the bylaw requirements were met for both Certificate Issuers and Certificate Consumers.
  • Quorum was met.

Requirement changes

  • Prior to April 1, 2019, certificates containing underscore characters in dNSName entries may be issued only if:
    • replacing all underscores with hyphens would result in a valid domain label,
    • underscores are not placed in the left most domain label, and
    • the certificate validity period is no longer than 30 days.
  • All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days must be revoked prior to January 15, 2019.
  • After April 30, 2019, underscore characters must not be present in dNSName entries.

Approval timeline

  • Discussion: 2018-10-26 19:00 UTC to 2018-11-02 22:00 UTC.
  • Vote for approval: 2018-11-02 22:00 UTC to 2018-11-09 22:00 UTC.
Model: gpt-5.4-mini Confidence: 0.98 Result: passed
Effective date
2019-04-30
Voting opened
2018-11-02
Voting closed
2018-11-09
Discussion opened
2018-10-26
Discussion closed
2018-11-02
Applicability and conditions

2019-04-01 — Such certificates may be issued only under the stated temporary conditions before this date. Certificates containing underscore characters in dNSName entries

2019-01-15 — These certificates must be revoked by this date. Certificates containing underscore characters in any dNSName entry with a validity period of more than 30 days

2019-04-30 — Underscore characters must not be present in dNSName entries on or after this date. All certificates with dNSName entries

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

0 Yes
0 No
1 Abstain

0% yes · 0% no · 100% abstain

Proposers

Wayne Thayer of Mozilla and endorsed by Dave Blunt of Amazon and Tim Shirley of Trustwave.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC012: Sunset of Underscores in dNSNamesBallot SC012: Sunset of Underscores in dNSNamesThe voting period for Ballot SC12 has ended and the Ballot has Passed. Here are the results:

View on cabforum.org → Last fetched 15 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action