[cabfpub] [Ext] BR Authorized Ports, add 8443

Phillip philliph at comodo.com
Fri Mar 2 17:10:57 UTC 2018



From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Friday, March 2, 2018 11:22 AM
To: Phillip <philliph at comodo.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Paul Hoffman <paul.hoffman at icann.org>; Ben Wilson <ben.wilson at digicert.com>
Subject: Re: [cabfpub] [Ext] BR Authorized Ports, add 8443


More importantly though, how many validation approaches do we need? I would rather work on reducing them rather than increasing them further.


And 64KB should be enough for everybody, no one will need more than one monitor, XGA is plenty resolution, etc.


I would not obsess about the number of validation methods, I would rather us focus on ensuring a consistent level of assurance, and then work to help ensure that anyone and everyone on the Web can easily get a certificate and facilitate greater adoption of encryption.


Unlike 640K, a cryptographic digest is actually sufficient to authenticate any sequence of bits.


Since we require that any validation mechanism be described objectively, it follows that it can be described as a sequence of bits and thus that a cryptographic digest is sufficient.


So I am pretty sure that we can use a CAA record as the hook for pretty much any new validation mechanism we might propose. But as Ryan is pointing out, such mechanisms are not necessarily good ones or ones we should accept.



To be more precise in what was concerning me: I think that we should attempt to limit the number of Internet services, accounts, etc. that operators need to be concerned about restricting access to in order to prevent a malicious request for validation.


This is the concern that makes port 8443 unacceptable to me. Most of the billions of hosts on the net do not regard that port as privileged so we should not attempt to make it so. 


Rather than adding to the ports, accounts, etc. that we are requiring people to watch, I would like us to choose one affordance that has been created for the express purpose of being a gating point for issue. That is the CAA record.



If we need more flexibility in issue mechanisms, the most flexible approach I know of is to use a public key to validate the request. And I already use UDFs to authenticate public keys.


There clearly needs to be some part of any validation mechanism for a DNS based protocol that uses information that comes either directly or indirectly from the DNS system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180302/726891f3/attachment-0003.html>

More information about the Public mailing list