<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.im
{mso-style-name:im;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>??? I think it is fairly clear that with the necessary privs, I can request a TCP/IP socket on any port (other than 0) and then bind a TLS provider to it.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The point I am making is that the fact the subscriber might use the certificate on port 8443 or for that matter on any port in the range [1,65535] does not mean that the validation process should allow other ports.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I currently have >40 TCP/IP sockets open on this Windows box and two thirds of them have https on them. And that is just my development environment. I suspect most of them are due to Docker or the Linux VMs.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>More importantly though, how many validation approaches do we need? I would rather work on reducing them rather than increasing them further.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In particular, I would like CAA to become a one stop shop for telling CAs what they need to issue a cert. For example:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>example.com. IN CAA 0 issue "comodoca.com"<o:p></o:p></p><p class=MsoNormal>example.com. IN CAA 128 udf "MDTXA-Y7DQJ-P7IRF-XUCRE-2Y5TH-RVNHP"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The above record would prevent a CA from issuing a cert unless they understand the semantics of the UDF record. So this is the only validation approach permitted.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The UDF record requires that any cert request be signed or countersigned according to a security policy that has the UDF fingerprint "MDTXA-Y7DQJ-P7IRF-XUCRE-2Y5TH-RVNHP"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>These are described here.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>https://tools.ietf.org/html/draft-hallambaker-udf-08<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'><b>From:</b> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Friday, March 2, 2018 10:52 AM<br><b>To:</b> Phillip <philliph@comodo.com>; CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Paul Hoffman <paul.hoffman@icann.org>; Ben Wilson <ben.wilson@digicert.com><br><b>Subject:</b> Re: [cabfpub] [Ext] BR Authorized Ports, add 8443<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:.5in'>On Fri, Mar 2, 2018 at 10:35 AM, Phillip via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal style='margin-left:.5in'>To clarify what Paul said,<br><br>We need to distinguish between the use of a port for certificate validation<br>and the use of a port for delivery of an Internet service. The fact that we<br>use SSL on every port to provide a service does not mean that we should<br>allow that use for validation.<o:p></o:p></p></blockquote><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'>On what basis do you make this claim? I see no justification for the distinction, nor support for the 'fact'.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal style='margin-left:.5in'>I do think we should consider adding a DNS prefix for certificate validation<br>though because ports are the old way to advertise services and does not<br>scale. We ran out of ports a long time ago and now use DNS prefixes and<br>.well-known HTTP services to extend the port numbers.<br><br><br><span class=im>-----Original Message-----</span><br><span class=im>From: Public [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>] On Behalf Of Paul Hoffman</span><br><span class=im>via Public</span><br><span class=im>Sent: Friday, March 2, 2018 10:08 AM</span><br><span class=im>To: Ben Wilson <<a href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>>; CA/Browser Forum Public Discussion</span><br><span class=im>List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>></span><o:p></o:p></p><div><div><p class=MsoNormal style='margin-left:.5in'>Subject: Re: [cabfpub] [Ext] BR Authorized Ports, add 8443<br><br>On Mar 1, 2018, at 7:51 AM, Ben Wilson via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>wrote:<br>><br>> Forwarding from Richard Wang:<br>><br>> The current BRs say:<br>><br>> Authorized Ports: One of the following ports: 80 (http), 443 (http), 25<br>(smtp), 22 (ssh).<br>><br>> But many internal networks use the port 8443, broadly used in Apache<br>server, today, one of our customers uses this port and can't change to use<br>another port, I wish you can help to add this port 8443 to be allowed in the<br>BRs, thanks.<br><br>It appears that the BRs currently are talking about authorizing *services*,<br>not ports. That is, I would not expect to be able to put a HTTP server on<br>port 22 on my system and have that considered authorized by the BRs.<br><br>Any Internet service can be run on any port. Every web, SMTP, and SSH server<br>software configuration allows you to run on the standard ports or any port<br>you choose.<br><br>Two suggestions:<br><br>- Clarify the BRs to say "Authorized Services and Ports"<br><br>- Add text that says only the authorized ports may be used<br><br>If CABF folks want to allow issuance of certificates for services on ports<br>other than the standard ports, you will have to decide what it means to<br>initially offer a service on one part and then move it to another port. The<br>PKIX standard does not allow encoding of port numbers for services in<br>certificates.<br><br>--Paul Hoffman<br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div></div></blockquote></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div></div></div></body></html>