To clarify what Paul said, We need to distinguish between the use of a port for certificate validation and the use of a port for delivery of an Internet service. The fact that we use SSL on every port to provide a service does not mean that we should allow that use for validation.
I do think we should consider adding a DNS prefix for certificate validation though because ports are the old way to advertise services and does not scale. We ran out of ports a long time ago and now use DNS prefixes and .well-known HTTP services to extend the port numbers. -----Original Message----- From: Public [mailto:[email protected]] On Behalf Of Paul Hoffman via Public Sent: Friday, March 2, 2018 10:08 AM To: Ben Wilson <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] [Ext] BR Authorized Ports, add 8443 On Mar 1, 2018, at 7:51 AM, Ben Wilson via Public <[email protected]> wrote: > > Forwarding from Richard Wang: > > The current BRs say: > > Authorized Ports: One of the following ports: 80 (http), 443 (http), 25 (smtp), 22 (ssh). > > But many internal networks use the port 8443, broadly used in Apache server, today, one of our customers uses this port and can't change to use another port, I wish you can help to add this port 8443 to be allowed in the BRs, thanks. It appears that the BRs currently are talking about authorizing *services*, not ports. That is, I would not expect to be able to put a HTTP server on port 22 on my system and have that considered authorized by the BRs. Any Internet service can be run on any port. Every web, SMTP, and SSH server software configuration allows you to run on the standard ports or any port you choose. Two suggestions: - Clarify the BRs to say "Authorized Services and Ports" - Add text that says only the authorized ports may be used If CABF folks want to allow issuance of certificates for services on ports other than the standard ports, you will have to decide what it means to initially offer a service on one part and then move it to another port. The PKIX standard does not allow encoding of port numbers for services in certificates. --Paul Hoffman _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
