Hi, On 11/26/15 12:50 PM, Yoav Nir wrote: >> On 26 Nov 2015, at 1:43 PM, Rob Stradling <rob.stradl...@comodo.com> wrote: >> >> On 26/11/15 11:37, Stephen Farrell wrote: >> <snip> >>> True. A port-specific cert would only work with updated browsers >>> which I guess is a fairly fatal objection to the idea. Ah well. >> Is it worth considering requiring proof of control of (some particular >> combination of) _multiple_ ports rather than just a single port? Would that >> strengthen the validation in any meaningful way? > Not really. I have user access (with shell) to the a bunch of Linux servers > where I work. I can run programs and open any high port I want, but I can’t > open ports below 1024. > > Running some script to run a web server on a bunch of high ports is trivial > in a case like that. Of course “proper” environments won’t let anyone other > than an administrator get shell access to a computer running a public-facing > web server, but we can’t rely on all environments being properly run. >
I'd go further: requiring proof on multiple different ports requires more code complexity and more network complexity wrt firewalls. That sounds like more trouble than it is worth for a DV cert. Eliot
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme