[cabfpub] Pre-Ballot 169 - Revised Validation Requirements

[Jacob Hoffman-Andrews]

>
> There's been a lot of discussion about this, and there have been arguments
> in favor and against the addition of new ports. Given the spate of at-hoc
> automated issuance systems and the security issues they've had recently,
> and given the difficulties for systems administrators and webmasters to be
> able to comprehensively protect such systems (an issue which would not
> exist if only domain-based validation were supported), I'm fairly opposed
> to widening this list. However, if there's an argument to be made about why
> each of these specific ports should be added, it would be useful to know.
>

My reasoning is, like you said, related to the ease of obtaining a
certificate. Specifically, allowing verification through a given port makes
it possible to write software that automatically requests certificates for
itself. People have already written web servers that do that. Ideally it
would be possible to do the same for POP, IMAP, and the other SMTP ports.

A related idea: What would you think of an IANA-allocated port specifically
for certificate validation? That would decrease the risk that software
running on that port was not authorized to request certificate issuance,
and would make it possible to write a system-level service that can request
certificates for various components on the system without worry about port
conflicts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160719/74750dc1/attachment-0003.html>