[cabfpub] [Ext] BR Authorized Ports, add 8443

Ryan Sleevi sleevi at google.com
Fri Mar 2 08:51:19 MST 2018


On Fri, Mar 2, 2018 at 10:08 AM, Paul Hoffman via Public <
public at cabforum.org> wrote:

> On Mar 1, 2018, at 7:51 AM, Ben Wilson via Public <public at cabforum.org>
> wrote:
> >
> > Forwarding from Richard Wang:
> >
> > The current BRs say:
> >
> > Authorized Ports: One of the following ports: 80 (http), 443 (http), 25
> (smtp), 22 (ssh).
> >
> > But many internal networks use the port 8443, broadly used in Apache
> server, today, one of our customers uses this port and can't change to use
> another port, I wish you can help to add this port 8443 to be allowed in
> the BRs, thanks.
>
> It appears that the BRs currently are talking about authorizing
> *services*, not ports. That is, I would not expect to be able to put a HTTP
> server on port 22 on my system and have that considered authorized by the
> BRs.
>

That is intentionally permitted.


>
> Any Internet service can be run on any port. Every web, SMTP, and SSH
> server software configuration allows you to run on the standard ports or
> any port you choose.
>
> Two suggestions:
>
> - Clarify the BRs to say "Authorized Services and Ports"
>
> - Add text that says only the authorized ports may be used
>
> If CABF folks want to allow issuance of certificates for services on ports
> other than the standard ports, you will have to decide what it means to
> initially offer a service on one part and then move it to another port. The
> PKIX standard does not allow encoding of port numbers for services in
> certificates.
>

The port is, I think, a misdirect, since relying party software is
generally ambivalent about the port in use. While SRVNames do offer a way
to scope the authority to a particular service (on any port), there's been
no movement towards adopting them in the CA/Browser Forum, due to the
issues they would have with technically constrained sub-CAs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180302/e95b3ddd/attachment.html>


More information about the Public mailing list