[cabf_validation] Validation Working Group call - Thurs. Sept. 10

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Sep 9 14:28:28 MST 2015


For our VWG call tomorrow, I'm circulating the most recent draft of our domain validation ballot.  There is no change from the draft circulated for our Forum call last week.

I pasted in the draft Minutes on this issue from last week's call.  At this point, it appears the only remaining work relates to the definition of Authorized Ports.  We asked everyone on the call to forward their ideas.

Ben re-posted his original list - see attachment.  Tim H. suggested removeing TelNet as obsolete and insecure.  Ryan suggested any port greater than 1024 be prohibited, and had other comments.  See attached.  Gerv agreed with the 1024 limit, and suggested approvals for an SSL certificate should not be through a port which was well-known for not being SSL.  That's all the feedback we got.

So if I read this all correctly, here is what is left of Ben's list:

Authorized Ports

Not SSL/TLS

SSL/TLS







ftp

20-21

989-990

ssh

22



telnet

23

992

smtp

25, 587

465

http

80

443

pop

110

995

nntp

119

563

imap

143

993

irc

194

994

ldap

389

636

sip

5060

5061


Our current placeholder definition for Authorized Domains is as follows - which of these do we keep?

Authorized Port: One of the following ports:  80 (http), 443 (http), 115 (sftp), 25 (smtp), 22 (ssh).

Can we try to finish this issue on our call tomorrow?

*****

DRAFT CABF CALL MINUTES

8.            Domain Validation Ballot - Discussion of Draft

Kirk noted that the Validation Working Group had completed a draft ballot with changes to BR 3.2.2.4 concerning domain validation methods, and wanted initial input from Forum members.  He started by asking for a response to the open issues noted in the draft that was circulated.

The first open issue was the question of Authorized Ports.  The working group recognized that allowing use of any and all ports for a practical demonstration method of domain validation presented security risks, and was looking to limit the number of ports that could be used.  The draft ballot includes a definition of Authorized Ports, with a short list of off the possible ports to be used.  However, the working group was not certain that this list was correct.

Jeremy stated that he initially liked the idea of restricting CAs to specific ports, but changed his mind.  He noted that the draft ballot imposed other safeguards for domain validation by practical demonstrations, such as limiting web pages to the well-known directory location and requiring a random value unknown to the customer, so he now believed that there was no need to limit methods to Authorized Ports.  If we are going to limit to Authorized Ports, we need a more comprehensive list, and should get data from all CAs - the current list is too short.

Ryan noted that he was one of the original proponents of limiting Authorized Ports, and stated that some CAs are allowing any ports to be used and that successful hacks have occurred.  He did not feel that the other limitations, such as use of a well-known directory and random value, were sufficient to avoid the security risks if any port is allowed for a practical demonstration.

Ben stated he previously posted a list of 30 to 40 ports to the Validation Working Group, but the group had not reached any consensus.  Kirk asked Ben to repost his list to the Public list for comments and suggestions, and Ben agreed.

Kirk stated the Validation Working Group would take this information into consideration at its meeting next week, then bring the draft ballot back as a real ballot for voting.



<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150909/60db4292/attachment-0001.html 
-------------- next part --------------
An embedded message was scrubbed...
From: Ben Wilson <ben.wilson at digicert.com>
Subject: [cabfpub] "Authorized Port"
Date: Thu, 3 Sep 2015 17:06:08 +0000
Size: 45942
Url: https://cabforum.org/pipermail/validation/attachments/20150909/60db4292/attachment-0002.mht 
-------------- next part --------------
An embedded message was scrubbed...
From: Ryan Sleevi <sleevi at google.com>
Subject: Re: [cabfpub] "Authorized Port"
Date: Thu, 3 Sep 2015 18:11:05 +0000
Size: 54067
Url: https://cabforum.org/pipermail/validation/attachments/20150909/60db4292/attachment-0003.mht 


More information about the Validation mailing list