[cabfpub] BR Authorized Ports, add 8443

Richard Wang richard at wotrus.com
Fri Mar 2 06:48:55 UTC 2018 

Checking the IANA site, it say:

pcsync-https

8443

tcp

PC sync HTTPS

And checking the Tomcat Apache website: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html



<!-- Define a HTTP/1.1 Connector on port 8443, JSSE BIO implementation -->

<Connector protocol="org.apache.coyote.http11.Http11Protocol"

           port="8443" .../>



8443 is popular used in Apache if you have setup the Apache server. This is NO any relationship with WoSign high port numbers problem.





Best Regards,



Richard



From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Phillip via Public
Sent: Friday, March 2, 2018 1:34 PM
To: 'Ryan Sleevi' <sleevi at google.com>; 'CA/Browser Forum Public Discussion List' <public at cabforum.org>; 'Ben Wilson' <ben.wilson at digicert.com>
Subject: Re: [cabfpub] BR Authorized Ports, add 8443



Service Name and Transport Protocol Port Number Registry

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml



Speedguide has no authority and I for one had never heard of it. IANA is the source.





IF we were to consider an alternative port then it should be advertised by means of a DNS SRV record. But that does not seem necessary.





From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Thursday, March 1, 2018 11:18 AM
To: Ben Wilson <ben.wilson at digicert.com<mailto:ben.wilson at digicert.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: Re: [cabfpub] BR Authorized Ports, add 8443



This was intentional and keeps the port numbers within the standard set of 'authorized' ports (in the notion of unix systems) - ports <1024 requiring privileged access.



This is generally true (but not explicitly) on other systems.



Given that WoSign/WoTrus's past issuance systems allowed unprivileged users to obtain certificates through the use of high port numbers (in this case, for STUN/TURN services and SSH), I do not think it particularly wise or encouraging to consider this.



On Thu, Mar 1, 2018 at 10:51 AM, Ben Wilson via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

   Forwarding from Richard Wang:

   The current BRs say:

   Authorized Ports: One of the following ports: 80 (http), 443 (http), 25 (smtp), 22 (ssh).

   But many internal networks use the port 8443, broadly used in Apache server, today, one of our customers uses this port and can't change to use another port, I wish you can help to add this port 8443 to be allowed in the BRs, thanks.

   https://www.speedguide.net/port.php?port=8443,  it says "8443 is the Common alternative HTTPS port."




   _______________________________________________
   Public mailing list
   Public at cabforum.org<mailto:Public at cabforum.org>
   https://cabforum.org/mailman/listinfo/public



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180302/20bac97b/attachment-0003.html>

More information about the Public mailing list