[cabfpub] Pre-Ballot 169 - Revised Validation Requirements
Ryan Sleevi
sleevi at google.com
Tue Jul 19 11:15:36 MST 2016
On Tue, Jul 19, 2016 at 10:51 AM, Jacob Hoffman-Andrews <
jsha at letsencrypt.org> wrote:
> Thanks for working on these! They're looking good.
>
>
>> *Authorized Port:* One of the following ports: 80 (http), 443 (http),
>> 115 (sftp), 25 (smtp), 22 (ssh).
>
>
> It seems like this list should also include 465 and 587 (smtp), 143 and
> 993 (imap), 110 and 995 (pop), and possibly 5269 (xmpp), though the last
> might be less appropriate since it is not generally reserved for privileged
> users.
>
There's been a lot of discussion about this, and there have been arguments
in favor and against the addition of new ports. Given the spate of at-hoc
automated issuance systems and the security issues they've had recently,
and given the difficulties for systems administrators and webmasters to be
able to comprehensively protect such systems (an issue which would not
exist if only domain-based validation were supported), I'm fairly opposed
to widening this list. However, if there's an argument to be made about why
each of these specific ports should be added, it would be useful to know.
There's naturally a tension that needs to be balanced - between the ease of
obtaining a certificate and the difficulties in preventing unauthorized
issuance. Both Microsoft and Google have continually expressed reservations
about authorization methods other than DNS - such as port-based and
file-based authorizations - as they can significantly expand a limited
scope of authorization (such as a specific port) into the ability to
intercept secure communications for an entire host.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160719/8b19d8e1/attachment.html
More information about the Public
mailing list