On Fri, Mar 2, 2018 at 10:35 AM, Phillip via Public <[email protected]> wrote:
> To clarify what Paul said, > > We need to distinguish between the use of a port for certificate validation > and the use of a port for delivery of an Internet service. The fact that we > use SSL on every port to provide a service does not mean that we should > allow that use for validation. > On what basis do you make this claim? I see no justification for the distinction, nor support for the 'fact'. > I do think we should consider adding a DNS prefix for certificate > validation > though because ports are the old way to advertise services and does not > scale. We ran out of ports a long time ago and now use DNS prefixes and > .well-known HTTP services to extend the port numbers. > > > -----Original Message----- > From: Public [mailto:[email protected]] On Behalf Of Paul > Hoffman > via Public > Sent: Friday, March 2, 2018 10:08 AM > To: Ben Wilson <[email protected]>; CA/Browser Forum Public > Discussion > List <[email protected]> > Subject: Re: [cabfpub] [Ext] BR Authorized Ports, add 8443 > > On Mar 1, 2018, at 7:51 AM, Ben Wilson via Public <[email protected]> > wrote: > > > > Forwarding from Richard Wang: > > > > The current BRs say: > > > > Authorized Ports: One of the following ports: 80 (http), 443 (http), 25 > (smtp), 22 (ssh). > > > > But many internal networks use the port 8443, broadly used in Apache > server, today, one of our customers uses this port and can't change to use > another port, I wish you can help to add this port 8443 to be allowed in > the > BRs, thanks. > > It appears that the BRs currently are talking about authorizing *services*, > not ports. That is, I would not expect to be able to put a HTTP server on > port 22 on my system and have that considered authorized by the BRs. > > Any Internet service can be run on any port. Every web, SMTP, and SSH > server > software configuration allows you to run on the standard ports or any port > you choose. > > Two suggestions: > > - Clarify the BRs to say "Authorized Services and Ports" > > - Add text that says only the authorized ports may be used > > If CABF folks want to allow issuance of certificates for services on ports > other than the standard ports, you will have to decide what it means to > initially offer a service on one part and then move it to another port. The > PKIX standard does not allow encoding of port numbers for services in > certificates. > > --Paul Hoffman > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
