[cabfpub] F2F meeting minutes
Gervase Markham
gerv at mozilla.org
Wed Jul 29 13:30:36 UTC 2015
Hi everyone,
I think there may be either an error in the minutes or an error in what
someone said at the F2F :-)
On 24/07/15 19:13, Dean Coclin wrote:
> Public release of F2F meeting minutes
...
> Ryan. This is similar to number 5. It problematic for a couple of
> reasons. Different ports are used by different protocols. e.g. IMAP A
> university student found a CA who allowed you to specify the site name
> (mapping to IP) *and* the port number. Google will hand out ports on
> their turn relay (and other service providers allow this for many
> reasons, too). This means that anyone can have apparent control of an
> (almost) arbitrary port number. Port number requires privilege. I can
> open a port and get a certificate for port number 15000. Running a SSL
> is not necessarily a privileged operation.
>
> It matters which port you're using. There are a whole set of security
> concerns around port use.
>
> Port number under 1024 being privileged is an example and a rule of
> thumb, but is not a standard.
>
> Your email administrator may not be authorized to order a certificate.
>
> Dean: Is that something we've added in?
>
> Ryan: Yes, this was from Gerv. It's the 'Let's Encrypt' model. Doug:
> It's a GlobalSign <https://www.cabforum.org/wiki/GlobalSign> model, too.
> We do something similar. If we need to specify the list of ports in
> section #9 to make it robust then that's OK. Gerv had a more general one
> (#10?) and we boiled it down to these two.
I think there is some misunderstanding here. I don't remember submitting
any proposals for new validation methods to the Validation WG. I don't
know what methods of domain validation LE intend to use.
Gerv
More information about the Public
mailing list