DigiCert pushes underscore extension

Earlier this year, certain browsers in the CA/Browser Forum mandated that underscore certificates be revoked immediately due to new interpretations of the RFC 1034 standard that is incorporated by reference into the CA/Browser Forum Baseline Requirements.

This resulted in an ongoing discussion in the CA/Browser Forum over the course of this year: should underscore certificates be immediately revoked?

Last year DigiCert championed a ballot to explicitly allow underscores in certificates (Ballot 202). When that ballot failed, due to votes by the browsers and a couple of CAs, it left the legality of underscores unresolved.

As discussions have been ongoing, DigiCert has maintained its focus on customers and the impact immediate revocation would have. Since our attempt at a permanent approval for underscores failed, we requested an extension to revocation and reached an agreement with the industry.

Ballot SC12, which DigiCert voted for, established the extension to allow existing underscore certificates to remain until January 14, 2019. We voted for this ballot because passing this would allow a migration period for affected customers. Several CAs and browsers voted against this ballot, presumably wanting a shorter migration period. If this ballot had failed, all CAs would have been forced to immediately revoke underscore certificates with no time allowed for a migration period.

DigiCert and all other CAs are now required to revoke certificates with underscores to comply with these new industry standards. Note that this applies to all publicly-trusted SSL certificates which contain any domain names with an underscore (in the Common Name or SANs). This does not affect other types of certificates, such as code signing, document signing, and so on.