On 10/09/2016 14:45, Gervase Markham wrote:
On 09/09/16 11:53, Jakob Bohm wrote:
As I read the Wiki description of WoSign issue L: Arbitrary High port
validation, the description notes a case of port 8080 validation as an
instance of this.
If the BR and or CP/CPS indeed classify port 8080 as a valid web port
for domain control checking, that particular case probably shouldn't
count.
We aren't counting particular incidents, just the facts of the case,
which was that any high port was accepted, and that at least one cert
was issued on a non-8080 port.
I obviously meant "count" as in "carry any weight in assessing the
trustworthiness of WoSign".
Our current evidence seems to be an unfortunate mix of actual issues
(such as the github.io certificates), and semi-irrelevant smear, which
means we will need to separate the chaff from the wheat before Mozilla
has a good basis for any decisions.
If instead WoSign (as I seem to recall) considers port 8080 as valid,
but the relevant formal documents do not, then that would be a separate
but related issue, which should get it's own letter on the Wiki page.
As noted in the original write-up, at the time of the incident, the
relevant formal documents did not specify exact port numbers, but
Mozilla feels that the fact that ports over 1024 are unprivileged is
basic security knowledge that any CA should have.
Note that the port above/below 1024 rule is mostly limited to Unix-like
systems, there are server platforms where listening on an arbitrary port
below 1024 is more or less unprotected (usually as a means to allow
servers to run with less privileges as a security measure).
The standard/non-standard port distinction for web servers is much more
relevant, as is the distinction between URL paths that are more or less
likely to be controlled by persons other than the domain owner.
However allowing "arbitrary URL on arbitrary high port" (chosen by the
applicant) is clearly not a good ownership test, in that I agree.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
