[cabfpub] "Authorized Port"

[Tim Hollebeek]

I’d recommend removing telnet, as it is a rather obsolete and rather insecure protocol.

-Tim

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Thursday, September 03, 2015 1:47 PM
To: Ben Wilson; CABFPub
Subject: [cabfpub] "Authorized Port"

Thanks, Ben.  Well done.

If anyone has ports to add or remove from Ben’s proposed list, please send your input to us (or to Ben and me personally if you can’t post to the Public list) by next Wednesday, Sept. 9 at the latest so we can discuss in the Validation Working Group call the next day.

Kirk

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, September 03, 2015 10:06 AM
To: CABFPub
Subject: [cabfpub] "Authorized Port"

All,

The Validation Working Group is considering amendments to the domain validation processes.  Two of those processes use the concept of an “authorized port” in order to limit the threat of approvals occurring through ports that are not “well-known”.

Here is the relevant language of the draft ballot:

6. Having the Applicant demonstrate control over the requested FQDN by installing a Random Value (contained in the name of the file, the content of a file, on a web page in the form of a meta tag, or any other format as determined by the CA) under "/.well-known/validation" directory on an Authorized Domain Name that can be validated over an Authorized Port;
…
9. Having the Applicant demonstrate control over the FQDN by the Applicant requesting and then installing a Test Certificate issued by the CA on the FQDN which is accessed and then validated via https by the CA over an Authorized Port;

I have argued in support of at least the following ports:

Authorized Ports

Not SSL/TLS

SSL/TLS







ftp

20-21

989-990

ssh

22



telnet

23

992

smtp

25, 587

465

http

80

443

pop

110

995

nntp

119

563

imap

143

993

irc

194

994

ldap

389

636

sip

5060

5061


Sample of ports that wouldn't be included (among 1,000s of others)



sftp

115

active-directory

445

rfs

556

filemaker

591

rpc-over-http

593

ieee-mms-ssl

695

kerberos

749-752

brocade-ssl

898

vmware

901-904

ibm

1364

c-panel

2083




In a written list I included port 24 (private mail) and 991 (network news) because they were consecutive within a series below for the definition of “Authorized Port”–

“ “Authorized Port” means ports 20-25, 80, 110, 119, 143, 194, 389, 443, 465, 563, 587, 636, 989-995.”

I’ve told the Validation Working Group that I think we need to reach outside the Validation WG to confirm whether this limited list is of the right scope.

If you have any opinions, please respond.

Thanks,

Ben





TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150903/d4626b55/attachment-0003.html>