[cabfpub] BR Authorized Ports, add 8443

Fotis Loukos fotisl at ssl.com
Fri Mar 2 00:00:06 MST 2018 

Hello,
per RFC1700:

WELL KNOWN PORT NUMBERS

The Well Known Ports are controlled and assigned by the IANA and on
most systems can only be used by system (or root) processes or by
programs executed by privileged users.
....
The assigned ports use a small portion of the possible port numbers.
For many years the assigned ports were in the range 0-255.  Recently,
the range for assigned ports managed by the IANA has been expanded to
the range 0-1023.

The first paragraph is still true on most operating systems, such as
*nix, Windows and MacOSX. On most of these systems, any user can bind to
a port >= 1024. I am using the word 'most' because I don't know the
networking subsystem of all operating systems, but every single one I've
used works like this. Adding port 8443 to the authorized ports would
mean that giving shell access to someone would give them access to issue
a certificate for that server. I don't think that shell access as an
ordinary user qualifies as having ownership or control of a domain.

Regards,
Fotis

On 02/03/2018 08:48 πμ, Richard Wang via Public wrote:
> Checking the IANA site, it say:
> 
> pcsync-https
> 
> 	
> 
> 8443
> 
> 	
> 
> tcp
> 
> 	
> 
> PC sync HTTPS
> 
> And checking the Tomcat Apache website:
> https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
> 
>  
> 
> <!-- Define a HTTP/1.1 Connector on port 8443, JSSE BIO implementation -->
> 
> <Connector protocol="org.apache.coyote.http11.Http11Protocol"
> 
>            port="8443" .../>
> 
>  
> 
> 8443 is popular used in Apache if you have setup the Apache server. This
> is NO any relationship with WoSign high port numbers problem.
> 
>  
> 
>  
> 
> Best Regards,
> 
>  
> 
> Richard
> 
>  
> 
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of
> *Phillip via Public
> *Sent:* Friday, March 2, 2018 1:34 PM
> *To:* 'Ryan Sleevi' <sleevi at google.com>; 'CA/Browser Forum Public
> Discussion List' <public at cabforum.org>; 'Ben Wilson'
> <ben.wilson at digicert.com>
> *Subject:* Re: [cabfpub] BR Authorized Ports, add 8443
> 
>  
> 
> Service Name and Transport Protocol Port Number Registry
> 
> https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
> 
>  
> 
> Speedguide has no authority and I for one had never heard of it. IANA is
> the source.
> 
>  
> 
>  
> 
> IF we were to consider an alternative port then it should be advertised
> by means of a DNS SRV record. But that does not seem necessary.
> 
>  
> 
>  
> 
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Ryan
> Sleevi via Public
> *Sent:* Thursday, March 1, 2018 11:18 AM
> *To:* Ben Wilson <ben.wilson at digicert.com
> <mailto:ben.wilson at digicert.com>>; CA/Browser Forum Public Discussion
> List <public at cabforum.org <mailto:public at cabforum.org>>
> *Subject:* Re: [cabfpub] BR Authorized Ports, add 8443
> 
>  
> 
> This was intentional and keeps the port numbers within the standard set
> of 'authorized' ports (in the notion of unix systems) - ports <1024
> requiring privileged access.
> 
>  
> 
> This is generally true (but not explicitly) on other systems.
> 
>  
> 
> Given that WoSign/WoTrus's past issuance systems allowed unprivileged
> users to obtain certificates through the use of high port numbers (in
> this case, for STUN/TURN services and SSH), I do not think it
> particularly wise or encouraging to consider this.
> 
>  
> 
> On Thu, Mar 1, 2018 at 10:51 AM, Ben Wilson via Public
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> 
>     Forwarding from Richard Wang:
> 
>     The current BRs say:
> 
>     Authorized Ports: One of the following ports: 80 (http), 443 (http),
>     25 (smtp), 22 (ssh).
> 
>     But many internal networks use the port 8443, broadly used in Apache
>     server, today, one of our customers uses this port and can't change
>     to use another port, I wish you can help to add this port 8443 to be
>     allowed in the BRs, thanks.
> 
>     https://www.speedguide.net/port.php?port=8443,  it says "8443 is the
>     Common alternative HTTPS port."
> 
>      
> 
> 
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public
> 
>  
> 
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


-- 
Fotis Loukos, PhD
Director of Security Architecture
SSL Corp
e: fotisl at ssl.com
w: https://www.ssl.com

More information about the Public mailing list