On 9/10/16, Gervase Markham <[email protected]> wrote: > On 09/09/16 11:53, Jakob Bohm wrote: >> As I read the Wiki description of WoSign issue L: Arbitrary High port >> validation, the description notes a case of port 8080 validation as an >> instance of this. >> >> If the BR and or CP/CPS indeed classify port 8080 as a valid web port >> for domain control checking, that particular case probably shouldn't >> count. > > We aren't counting particular incidents, just the facts of the case, > which was that any high port was accepted, and that at least one cert > was issued on a non-8080 port. > >> If instead WoSign (as I seem to recall) considers port 8080 as valid, >> but the relevant formal documents do not, then that would be a separate >> but related issue, which should get it's own letter on the Wiki page. > > As noted in the original write-up, at the time of the incident, the > relevant formal documents did not specify exact port numbers, but > Mozilla feels that the fact that ports over 1024 are unprivileged is > basic security knowledge that any CA should have.
Does Mozilla feel that using 'clear text' protocols to validate domains is adequate security? https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/ > Authorized Port: One of the following ports: 80 (http), 443 (http), 115 > (sftp), 25 (smtp), 22 (ssh). I got a copy of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.0.pdf and searched for the string "dnssec". No matches. Will Mozilla be offering an amendment to the BR requiring the use of DNSSEC where available? How bad does an auditor have to be before Mozilla will no longer accept them as "a trusted auditor for the Mozilla root program"? https://wiki.mozilla.org/CA:WoSign_Issues#Issue_J:_Various_BR_Violations_.28Apr_2015.29 > Google noted that many of these issues should have been caught by a competent > auditor. > WoSign's auditors at the time were Ernst and Young (Hong Kong). Will Mozilla accept CA audits done by Ernst and Young in the near future? Does Mozilla plan on giving any extra attention to CAs whose last audit was done by Ernst and Young? Thanks, Lee _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
