[cabf_validation] Validation Working Group call - Thurs. Sept. 10
kirk_hall at trendmicro.com
kirk_hall at trendmicro.com
Wed Sep 9 14:29:42 MST 2015
This time with most recent draft of ballot.
From: Kirk Hall (RD-US)
Sent: Wednesday, September 09, 2015 2:28 PM
To: validation at cabforum.org
Subject: Validation Working Group call - Thurs. Sept. 10
Importance: High
For our VWG call tomorrow, I'm circulating the most recent draft of our domain validation ballot. There is no change from the draft circulated for our Forum call last week.
I pasted in the draft Minutes on this issue from last week's call. At this point, it appears the only remaining work relates to the definition of Authorized Ports. We asked everyone on the call to forward their ideas.
Ben re-posted his original list - see attachment. Tim H. suggested removeing TelNet as obsolete and insecure. Ryan suggested any port greater than 1024 be prohibited, and had other comments. See attached. Gerv agreed with the 1024 limit, and suggested approvals for an SSL certificate should not be through a port which was well-known for not being SSL. That's all the feedback we got.
So if I read this all correctly, here is what is left of Ben's list:
Authorized Ports
Not SSL/TLS
SSL/TLS
ftp
20-21
989-990
ssh
22
telnet
23
992
smtp
25, 587
465
http
80
443
pop
110
995
nntp
119
563
imap
143
993
irc
194
994
ldap
389
636
sip
5060
5061
Our current placeholder definition for Authorized Domains is as follows - which of these do we keep?
Authorized Port: One of the following ports: 80 (http), 443 (http), 115 (sftp), 25 (smtp), 22 (ssh).
Can we try to finish this issue on our call tomorrow?
*****
DRAFT CABF CALL MINUTES
8. Domain Validation Ballot - Discussion of Draft
Kirk noted that the Validation Working Group had completed a draft ballot with changes to BR 3.2.2.4 concerning domain validation methods, and wanted initial input from Forum members. He started by asking for a response to the open issues noted in the draft that was circulated.
The first open issue was the question of Authorized Ports. The working group recognized that allowing use of any and all ports for a practical demonstration method of domain validation presented security risks, and was looking to limit the number of ports that could be used. The draft ballot includes a definition of Authorized Ports, with a short list of off the possible ports to be used. However, the working group was not certain that this list was correct.
Jeremy stated that he initially liked the idea of restricting CAs to specific ports, but changed his mind. He noted that the draft ballot imposed other safeguards for domain validation by practical demonstrations, such as limiting web pages to the well-known directory location and requiring a random value unknown to the customer, so he now believed that there was no need to limit methods to Authorized Ports. If we are going to limit to Authorized Ports, we need a more comprehensive list, and should get data from all CAs - the current list is too short.
Ryan noted that he was one of the original proponents of limiting Authorized Ports, and stated that some CAs are allowing any ports to be used and that successful hacks have occurred. He did not feel that the other limitations, such as use of a well-known directory and random value, were sufficient to avoid the security risks if any port is allowed for a practical demonstration.
Ben stated he previously posted a list of 30 to 40 ports to the Validation Working Group, but the group had not reached any consensus. Kirk asked Ben to repost his list to the Public list for comments and suggestions, and Ben agreed.
Kirk stated the Validation Working Group would take this information into consideration at its meeting next week, then bring the draft ballot back as a real ballot for voting.
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150909/f8e18751/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: New Domain Validation Draft 9-1-2015 (for CABF consideration).pdf
Type: application/pdf
Size: 383278 bytes
Desc: New Domain Validation Draft 9-1-2015 (for CABF
consideration).pdf
Url : https://cabforum.org/pipermail/validation/attachments/20150909/f8e18751/attachment-0001.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: New Domain Validation Draft 9-1-2015 (for CABF consideration).docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 34986 bytes
Desc: New Domain Validation Draft 9-1-2015 (for CABF
consideration).docx
Url : https://cabforum.org/pipermail/validation/attachments/20150909/f8e18751/attachment-0001.bin
More information about the Validation
mailing list