On Mar 1, 2018, at 7:51 AM, Ben Wilson via Public <public@cabforum.org> wrote:
> Forwarding from Richard Wang:
> The current BRs say:
> Authorized Ports: One of the following ports: 80 (http), 443 (http), 25 
> (smtp), 22 (ssh).
> But many internal networks use the port 8443, broadly used in Apache server, 
> today, one of our customers uses this port and can't change to use another 
> port, I wish you can help to add this port 8443 to be allowed in the BRs, 
> thanks.

It appears that the BRs currently are talking about authorizing *services*, not 
ports. That is, I would not expect to be able to put a HTTP server on port 22 
on my system and have that considered authorized by the BRs.

Any Internet service can be run on any port. Every web, SMTP, and SSH server 
software configuration allows you to run on the standard ports or any port you 

Two suggestions:

- Clarify the BRs to say "Authorized Services and Ports"

- Add text that says only the authorized ports may be used

If CABF folks want to allow issuance of certificates for services on ports 
other than the standard ports, you will have to decide what it means to 
initially offer a service on one part and then move it to another port. The 
PKIX standard does not allow encoding of port numbers for services in 

--Paul Hoffman
Public mailing list

Reply via email to