On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
> I would also like to get clarification on if/when the underscore character
> may be used in each of the name types.  Your report seems to flag
> underscores as always prohibited (I think), but I expect that some CAs would
> be surprised by that.

Here is a set of rules that are functionally equivalent to the ones
I'm using to check dNSNames in GeneralNames:

LABEL = "((?!-)[A-Za-z0-9-]{1,63}(?<!-))"
FQDN = "(#{LABEL}\.)*#{LABEL}"
WILDCARD_DN = "\\*\\.#{FQDN}"

dNSName =~ /\A#{DNSNAME}\z/

The FQDN rule is based on RFC 5280 section, which in turn
references RFCs 1123 and 1034.  There is no allowance for underscores
in domain names in these RFCs.

dev-security-policy mailing list

Reply via email to