[9] RFR: 8007706: X.509 cert extension SAN should support "_" in dNSName

Jason Uh jason.uh at oracle.com
Tue Aug 5 05:52:36 UTC 2014

Hi Florian,

I've reviewed the RFC again and think there might be some 
misinterpretation. The only part I see about underscores reads:

>    Implementers should note that the at sign ('@') and underscore ('_')
>    characters are not supported by the ASN.1 type PrintableString.
>    These characters often appear in Internet addresses.  Such addresses
>    MUST be encoded using an ASN.1 type that supports them.  They are
>    usually encoded as IA5String in either the emailAddress attribute
>    within a distinguished name or the rfc822Name field of GeneralName.
>    Conforming implementations MUST NOT encode strings that include
>    either the at sign or underscore character as PrintableString.

RFC 5280 doesn't allow underscores for *PrintableString*, but DNSName is 
an *IA5String*, which does support them.


On 08/04/2014 03:50 AM, Florian Weimer wrote:
> On 08/02/2014 04:09 AM, Jason Uh wrote:
>> Hi Florian,
>> Thanks for your input. There was some discussion about the issue in the
>> past on this list:
>> http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006622.html
>> Do you disagree with the comments there?
> I think the intent of RFC 5280 is *not* to allow "_" in dNSName.
> However, other PKIX implementations (OpenSSL, NSS) do not seem to verify
> dNSName syntax at all, so it might be necessary to drop the check for
> interoperability reasons in OpenJDK, even if it makes OpenJDK less
> compliant with RFC 5280.

More information about the security-dev mailing list