On Fri, Mar 2, 2018 at 10:08 AM, Paul Hoffman via Public < [email protected]> wrote:
> On Mar 1, 2018, at 7:51 AM, Ben Wilson via Public <[email protected]> > wrote: > > > > Forwarding from Richard Wang: > > > > The current BRs say: > > > > Authorized Ports: One of the following ports: 80 (http), 443 (http), 25 > (smtp), 22 (ssh). > > > > But many internal networks use the port 8443, broadly used in Apache > server, today, one of our customers uses this port and can't change to use > another port, I wish you can help to add this port 8443 to be allowed in > the BRs, thanks. > > It appears that the BRs currently are talking about authorizing > *services*, not ports. That is, I would not expect to be able to put a HTTP > server on port 22 on my system and have that considered authorized by the > BRs. > That is intentionally permitted. > > Any Internet service can be run on any port. Every web, SMTP, and SSH > server software configuration allows you to run on the standard ports or > any port you choose. > > Two suggestions: > > - Clarify the BRs to say "Authorized Services and Ports" > > - Add text that says only the authorized ports may be used > > If CABF folks want to allow issuance of certificates for services on ports > other than the standard ports, you will have to decide what it means to > initially offer a service on one part and then move it to another port. The > PKIX standard does not allow encoding of port numbers for services in > certificates. > The port is, I think, a misdirect, since relying party software is generally ambivalent about the port in use. While SRVNames do offer a way to scope the authority to a particular service (on any port), there's been no movement towards adopting them in the CA/Browser Forum, due to the issues they would have with technically constrained sub-CAs.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
