On Fri, Mar 2, 2018 at 10:35 AM, Phillip via Public <firstname.lastname@example.org>
> To clarify what Paul said,
> We need to distinguish between the use of a port for certificate validation
> and the use of a port for delivery of an Internet service. The fact that we
> use SSL on every port to provide a service does not mean that we should
> allow that use for validation.
On what basis do you make this claim? I see no justification for the
distinction, nor support for the 'fact'.
> I do think we should consider adding a DNS prefix for certificate
> though because ports are the old way to advertise services and does not
> scale. We ran out of ports a long time ago and now use DNS prefixes and
> .well-known HTTP services to extend the port numbers.
> -----Original Message-----
> From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Paul
> via Public
> Sent: Friday, March 2, 2018 10:08 AM
> To: Ben Wilson <ben.wil...@digicert.com>; CA/Browser Forum Public
> List <email@example.com>
> Subject: Re: [cabfpub] [Ext] BR Authorized Ports, add 8443
> On Mar 1, 2018, at 7:51 AM, Ben Wilson via Public <firstname.lastname@example.org>
> > Forwarding from Richard Wang:
> > The current BRs say:
> > Authorized Ports: One of the following ports: 80 (http), 443 (http), 25
> (smtp), 22 (ssh).
> > But many internal networks use the port 8443, broadly used in Apache
> server, today, one of our customers uses this port and can't change to use
> another port, I wish you can help to add this port 8443 to be allowed in
> BRs, thanks.
> It appears that the BRs currently are talking about authorizing *services*,
> not ports. That is, I would not expect to be able to put a HTTP server on
> port 22 on my system and have that considered authorized by the BRs.
> Any Internet service can be run on any port. Every web, SMTP, and SSH
> software configuration allows you to run on the standard ports or any port
> you choose.
> Two suggestions:
> - Clarify the BRs to say "Authorized Services and Ports"
> - Add text that says only the authorized ports may be used
> If CABF folks want to allow issuance of certificates for services on ports
> other than the standard ports, you will have to decide what it means to
> initially offer a service on one part and then move it to another port. The
> PKIX standard does not allow encoding of port numbers for services in
> --Paul Hoffman
> Public mailing list
> Public mailing list
Public mailing list