[cabf_validation] Authorized Port List

Ben Wilson ben.wilson at digicert.com
Mon Aug 31 04:37:05 MST 2015


I’m fine with leaving it off.

 

From: Doug Beattie [mailto:doug.beattie at globalsign.com] 
Sent: Monday, August 31, 2015 5:35 AM
To: Ben Wilson <ben.wilson at digicert.com>; validation at cabforum.org
Subject: RE: Authorized Port List

 

sip is above 1000, is that one necessary or could we omit that and let a
strong proponent that uses it today request that it be added?

 

Other than that, sure, it’s a short list and we can let the public list
discuss the pros/cons of the entries.

 

From: Ben Wilson [mailto:ben.wilson at digicert.com] 
Sent: Monday, August 31, 2015 7:31 AM
To: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> >;
Doug Beattie <doug.beattie at globalsign.com
<mailto:doug.beattie at globalsign.com> >; validation at cabforum.org
<mailto:validation at cabforum.org> 
Subject: RE: Authorized Port List

 

What about this reduced list?

 


Authorized Ports

Not SSL/TLS

SSL/TLS

	

 

 

 

	

ftp

20-21

989-990

	

ssh

22

 

	

telnet

23

992

	

smtp

25, 587

465

	

http

80

443

	

pop

110

995

	

nntp

119

563

	

imap

143

993

	

irc

194

994

	

ldap

389

636

	

sip

5060

5061

	
				

Ports that won't be included

 

		

sftp

115

		

active-directory

445

		

rfs

556

		

filemaker

591

		

rpc-over-http

593

		

ieee-mms-ssl

695

		

kerberos

749-752

		

brocade-ssl

898

		

vmware

901-904

		

ibm

1364

		

c-panel

2083

		
				

 

 

From: validation-bounces at cabforum.org
<mailto:validation-bounces at cabforum.org>
[mailto:validation-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, August 31, 2015 5:07 AM
To: Doug Beattie <doug.beattie at globalsign.com
<mailto:doug.beattie at globalsign.com> >; validation at cabforum.org
<mailto:validation at cabforum.org> 
Subject: Re: [cabf_validation] Authorized Port List

 

My thought is that if an SSL certificate can be installed for the services
listed below, then the proper way to configure the server (from a security
perspective) is to lock down all other ports and only allow the correct type
of traffic through.  For example, an IMAP server would have ports 143 and
993 open and then once the certificate is installed port 143 would forward
to port 993.  I agree that the list can be pared down (but other ports may
need to be added – I didn’t include port 143 in my list), but I’m waiting to
hear from someone more knowledgeable than I on this.  I think we need to
reach outside the Validation Working Group for an answer.

 

From: Doug Beattie [mailto:doug.beattie at globalsign.com] 
Sent: Friday, August 28, 2015 1:07 PM
To: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> >;
validation at cabforum.org <mailto:validation at cabforum.org> 
Subject: RE: Authorized Port List

 

Some CAs have very strict rules about where the random number can go and
they request the customer to place it there.  If others put it anywhere,
then I guess they will need to provide a long list like you did or recommend
that we not restrict this to a specific set of ports.

 

Doug

 

From: Ben Wilson [mailto:ben.wilson at digicert.com] 
Sent: Friday, August 28, 2015 2:45 PM
To: Doug Beattie <doug.beattie at globalsign.com
<mailto:doug.beattie at globalsign.com> >; validation at cabforum.org
<mailto:validation at cabforum.org> 
Subject: RE: Authorized Port List

 

It's not about what CAs want.  It's about what a customer might want.

  _____  

From: Doug Beattie <mailto:doug.beattie at globalsign.com> 
Sent: ‎8/‎28/‎2015 11:26 AM
To: Ben Wilson <mailto:ben.wilson at digicert.com> ; validation at cabforum.org
<mailto:validation at cabforum.org> 
Subject: RE: Authorized Port List

Ben,

 

Do you think a CA needs to use all of these ports when attempting to
validate a Random value in the .well-known directory on an Authorized
Domain?  It seems unlikely Kerberos, sip and many others would be used for
that purpose.

 

I suggest CAs add to the short list in Kirk’s proposal with ones they use
and need to be present.  If others need to be added in the future that can
be another ballot (i.e., start small and add as needed).

 

Doug

 

From: validation-bounces at cabforum.org
<mailto:validation-bounces at cabforum.org>
[mailto:validation-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, August 28, 2015 2:11 PM
To: validation at cabforum.org <mailto:validation at cabforum.org> 
Subject: [cabf_validation] Authorized Port List

 

What about this list as something to review?  It’s pulled from a review of
this:

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 

 

22 (ssh), 25 (smtp), 80 (http), 109-110 (pop), 115 (sftp), 443 (https), 465
(smtps), 556 (rfs), 563 (nntps), 587 (smtp), 591 (filemaker), 593
(rpc-over-http), 636 (ldaps), 695 (ieee-mms-ssl), sip, 749-752 (kerberos),
898 (brocade-ssl), 901-904 (vmware), 911 (nca), 989-990 (ftps), 992
(telnets), 993 (imaps), 994 (ircs), 995 (pops), 1364 (ibm), 2083 (cpanel),
2087 (webhost), 2096 (cpanel), 5060-5061 (sip)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150831/d50e0231/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150831/d50e0231/attachment-0001.bin 


More information about the Validation mailing list