On 09/09/16 11:53, Jakob Bohm wrote: > As I read the Wiki description of WoSign issue L: Arbitrary High port > validation, the description notes a case of port 8080 validation as an > instance of this. > > If the BR and or CP/CPS indeed classify port 8080 as a valid web port > for domain control checking, that particular case probably shouldn't > count.
We aren't counting particular incidents, just the facts of the case, which was that any high port was accepted, and that at least one cert was issued on a non-8080 port. > If instead WoSign (as I seem to recall) considers port 8080 as valid, > but the relevant formal documents do not, then that would be a separate > but related issue, which should get it's own letter on the Wiki page. As noted in the original write-up, at the time of the incident, the relevant formal documents did not specify exact port numbers, but Mozilla feels that the fact that ports over 1024 are unprivileged is basic security knowledge that any CA should have. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
