From 0ed480fdefa9f5dc58de762ddadf9eb5a8cd5c3c Mon Sep 17 00:00:00 2001
From: Kenneth Myers <kenneth.myers@gsa.gov>
Date: Fri, 1 Feb 2019 16:26:17 -0500
Subject: [PATCH] Update for SC12

Disallow underscore in dnsName entries.
---
 certificate-profile-server-authentication.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/certificate-profile-server-authentication.md b/certificate-profile-server-authentication.md
index 170faa6f..401667b0 100644
--- a/certificate-profile-server-authentication.md
+++ b/certificate-profile-server-authentication.md
@@ -32,7 +32,7 @@ Below is the full server authentication certificate profile with _all_ fields an
 | Key Usage   | Mandatory | True | **Required Key Usage:** <br> digitalSignature <br><br> **Optional Key Usage:** <br> keyEncipherment for RSA Keys <br> keyAgreement for Elliptic Curve <br><br>**Prohibited Key Usage:** <br> keyCertSign and cRLSign |
 | Extended Key Usage   | Mandatory | False | **Required Extended Key Usage:** <br> Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1} <br><br> **Optional Extended Key Usage:** <br> Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2} <br> <br>**Prohibited Extended Key Usage:** <br> anyEKU EKU {2.5.29.37.0} <br> all others |
 | Certificate Policies   |  Mandatory  | False | **Required Certificate Policy Fields:** <br>See Section 7.1.6.4. One US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements.  <br><br>**Optional Certificate Policy Fields:** <br> certificatePolicies:policyQualifiers <br> policyQualifierId   id-qt 1 <br> qualifier:cPSuri |
-| Subject Alternative Name   | Mandatory | False  | This extension shall contain at least one entry. Each entry shall be a dNSName containing the Fully-Qualified Domain Name of a server. This extension shall not include any Internal Name values. <br> All entries shall be validated in accordance with Section 3.2.2.4. |
+| Subject Alternative Name   | Mandatory | False  | This extension shall contain at least one entry. Each entry shall be a dNSName containing the Fully-Qualified Domain Name of a server. This extension shall not include any Internal Name values. <br> All entries shall be validated in accordance with Section 3.2.2.4. <br>Underscore characters (“_”) MUST NOT be present in dNSName entries.  |
 | Authority Information Access   | Mandatory | False | **Required AIA Fields:** <br> **OCSP** <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272]. |
 | CRL Distribution Points   | Mandatory | False | At least one HTTP URI to the location of a publicly accessible, full and complete CRL. The reasons and cRLIssuer fields must be omitted.  |
 | Private Extensions        | Optional | False | Only extensions that have context for use on the public Internet are allowed.  Private extensions must not cause interoperability issues.  CA must be aware of and defend reason for including in the certificate, and use of Private Extensions shall be approved by the FPKI Policy Authority. |