[cabfpub] "Authorized Port"
Tim Hollebeek
THollebeek at trustwave.com
Thu Sep 3 17:56:11 UTC 2015
I’d recommend removing telnet, as it is a rather obsolete and rather insecure protocol.
-Tim
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Thursday, September 03, 2015 1:47 PM
To: Ben Wilson; CABFPub
Subject: [cabfpub] "Authorized Port"
Thanks, Ben. Well done.
If anyone has ports to add or remove from Ben’s proposed list, please send your input to us (or to Ben and me personally if you can’t post to the Public list) by next Wednesday, Sept. 9 at the latest so we can discuss in the Validation Working Group call the next day.
Kirk
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, September 03, 2015 10:06 AM
To: CABFPub
Subject: [cabfpub] "Authorized Port"
All,
The Validation Working Group is considering amendments to the domain validation processes. Two of those processes use the concept of an “authorized port” in order to limit the threat of approvals occurring through ports that are not “well-known”.
Here is the relevant language of the draft ballot:
6. Having the Applicant demonstrate control over the requested FQDN by installing a Random Value (contained in the name of the file, the content of a file, on a web page in the form of a meta tag, or any other format as determined by the CA) under "/.well-known/validation" directory on an Authorized Domain Name that can be validated over an Authorized Port;
…
9. Having the Applicant demonstrate control over the FQDN by the Applicant requesting and then installing a Test Certificate issued by the CA on the FQDN which is accessed and then validated via https by the CA over an Authorized Port;
I have argued in support of at least the following ports:
Authorized Ports
Not SSL/TLS
SSL/TLS
ftp
20-21
989-990
ssh
22
telnet
23
992
smtp
25, 587
465
http
80
443
pop
110
995
nntp
119
563
imap
143
993
irc
194
994
ldap
389
636
sip
5060
5061
Sample of ports that wouldn't be included (among 1,000s of others)
sftp
115
active-directory
445
rfs
556
filemaker
591
rpc-over-http
593
ieee-mms-ssl
695
kerberos
749-752
brocade-ssl
898
vmware
901-904
ibm
1364
c-panel
2083
In a written list I included port 24 (private mail) and 991 (network news) because they were consecutive within a series below for the definition of “Authorized Port”–
“ “Authorized Port” means ports 20-25, 80, 110, 119, 143, 194, 389, 443, 465, 563, 587, 636, 989-995.”
I’ve told the Validation Working Group that I think we need to reach outside the Validation WG to confirm whether this limited list is of the right scope.
If you have any opinions, please respond.
Thanks,
Ben
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150903/d4626b55/attachment-0003.html>
More information about the Public
mailing list