[cabfpub] "Authorized Port"

Ryan Sleevi sleevi at google.com
Thu Sep 3 11:11:05 MST 2015


I'd like to suggest that anything greater than 1024 be prohibited on
principal (by default, they are not seen as privileged).

I'm also not sure how the text should be interpreted. Would it be seen as
acceptable to run an HTTP server on port 119? Or an HTTP (not HTTPS) server
on port 636?

As expressed on today's call, it's worth reiterating that a certificate is
scoped to a host name (e.g. applies to all protocols and ports), whereas
both options 6 and 10 only validate control over a single (protocol, host,
port) tuple. This differs from the other methods, which through relying on
DNS, validate control over the hostname / the host namespace.

This can be both a good thing (use the same TLS server certificate both
both your IMAPS and your WWW server) or a bad thing (control of the WWW
server being pivoted to obtain MITM for the IMAP server).

Within that threat, and that scoping challenge, as mentioned on the call it
may be worth considering Option 6/Option 10 to be methods that must be
opted-in to by someone with control over the domain namespace, which
indicates an awareness of the risks or a statement of authorization, that
allows these more permissive methods to be used.

For example, one might consider a recordtype like CAA (or expressed itself
IN CAA, since this does seem to fit within the CAA scope), or a domain
authorization letter, or a confirmation via email, or something of that
nature, to ensure a consistency of authorization between the service
(protocol+host+port) operator and the domain name (hostname) operator.

On Thu, Sep 3, 2015 at 10:47 AM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:

> Thanks, Ben.  Well done.
>
>
>
> If anyone has ports to add or remove from Ben’s proposed list, please send
> your input to us (or to Ben and me personally if you can’t post to the
> Public list) by next *Wednesday, Sept. 9* at the latest so we can discuss
> in the Validation Working Group call the next day.
>
>
>
> Kirk
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Ben Wilson
> *Sent:* Thursday, September 03, 2015 10:06 AM
> *To:* CABFPub
> *Subject:* [cabfpub] "Authorized Port"
>
>
>
> All,
>
>
>
> The Validation Working Group is considering amendments to the domain
> validation processes.  Two of those processes use the concept of an
> “authorized port” in order to limit the threat of approvals occurring
> through ports that are not “well-known”.
>
>
>
> Here is the relevant language of the draft ballot:
>
>
>
> 6. Having the Applicant demonstrate control over the requested FQDN by
> installing a Random Value (contained in the name of the file, the content
> of a file, on a web page in the form of a meta tag, or any other format as
> determined by the CA) under "/.well-known/validation" directory on an
> Authorized Domain Name that can be validated over an Authorized Port;
>
>>
> 9. Having the Applicant demonstrate control over the FQDN by the Applicant
> requesting and then installing a Test Certificate issued by the CA on the
> FQDN which is accessed and then validated via https by the CA over an
> Authorized Port;
>
>
>
> I have argued in support of at least the following ports:
>
>
>
> *Authorized Ports*
>
> *Not SSL/TLS*
>
> *SSL/TLS*
>
>
>
>
>
>
>
> ftp
>
> 20-21
>
> 989-990
>
> ssh
>
> 22
>
>
>
> telnet
>
> 23
>
> 992
>
> smtp
>
> 25, 587
>
> 465
>
> http
>
> 80
>
> 443
>
> pop
>
> 110
>
> 995
>
> nntp
>
> 119
>
> 563
>
> imap
>
> 143
>
> 993
>
> irc
>
> 194
>
> 994
>
> ldap
>
> 389
>
> 636
>
> sip
>
> 5060
>
> 5061
>
> *Sample of ports that wouldn't be included (among 1,000s of others)*
>
>
>
> sftp
>
> 115
>
> active-directory
>
> 445
>
> rfs
>
> 556
>
> filemaker
>
> 591
>
> rpc-over-http
>
> 593
>
> ieee-mms-ssl
>
> 695
>
> kerberos
>
> 749-752
>
> brocade-ssl
>
> 898
>
> vmware
>
> 901-904
>
> ibm
>
> 1364
>
> c-panel
>
> 2083
>
>
>
> In a written list I included port 24 (private mail) and 991 (network news)
> because they were consecutive within a series below for the definition of
> “Authorized Port”–
>
>
>
> “ “Authorized Port” means ports 20-25, 80, 110, 119, 143, 194, 389, 443,
> 465, 563, 587, 636, 989-995.”
>
>
>
> I’ve told the Validation Working Group that I think we need to reach
> outside the Validation WG to confirm whether this limited list is of the
> right scope.
>
>
>
> If you have any opinions, please respond.
>
>
>
> Thanks,
>
>
>
> Ben
>
>
>
>
>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150903/ebf8fec6/attachment-0001.html 


More information about the Public mailing list