[cabf_validation] Validation Working Group call - Thurs. Sept. 10

Ben Wilson ben.wilson at digicert.com
Thu Sep 10 04:12:40 MST 2015 

>From what I took away from the last PAG call, we should proceed on multiple parallel paths without waiting for one solution or letting one course of action derail progress.  Not sure I have a specific answer for you, though.

 

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Thursday, September 10, 2015 5:07 AM
To: kirk_hall at trendmicro.com; validation at cabforum.org
Subject: Re: [cabf_validation] Validation Working Group call - Thurs. Sept. 10

 

Kirk,

Gerv said this regarding the current option 7:

*        Speaking for us, even if I thought these changes were good, I don't think I'd want to vote in favour of removing that option until the patent process had completed.

How does this impact our strategy, if at all?

From: validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>  [mailto:validation-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com <mailto:kirk_hall at trendmicro.com> 
Sent: Wednesday, September 9, 2015 5:28 PM
To: validation at cabforum.org <mailto:validation at cabforum.org> 
Subject: [cabf_validation] Validation Working Group call - Thurs. Sept. 10
Importance: High

 

For our VWG call tomorrow, I’m circulating the most recent draft of our domain validation ballot.  There is no change from the draft circulated for our Forum call last week.

 

I pasted in the draft Minutes on this issue from last week’s call.  At this point, it appears the only remaining work relates to the definition of Authorized Ports.  We asked everyone on the call to forward their ideas.

 

Ben re-posted his original list – see attachment.  Tim H. suggested removeing TelNet as obsolete and insecure.  Ryan suggested any port greater than 1024 be prohibited, and had other comments.  See attached.  Gerv agreed with the 1024 limit, and suggested approvals for an SSL certificate should not be through a port which was well-known for not being SSL.  That’s all the feedback we got.

 

So if I read this all correctly, here is what is left of Ben’s list:

 


Authorized Ports

Not SSL/TLS

SSL/TLS


 

 

 


ftp

20-21

989-990


ssh

22

 


telnet

23

992


smtp

25, 587

465


http

80

443


pop

110

995


nntp

119

563


imap

143

993


irc

194

994


ldap

389

636


sip

5060

5061

 

Our current placeholder definition for Authorized Domains is as follows – which of these do we keep?

 

Authorized Port: One of the following ports:  80 (http), 443 (http), 115 (sftp), 25 (smtp), 22 (ssh).

 

Can we try to finish this issue on our call tomorrow?

 

*****

 

DRAFT CABF CALL MINUTES

 

8.            Domain Validation Ballot - Discussion of Draft

 

Kirk noted that the Validation Working Group had completed a draft ballot with changes to BR 3.2.2.4 concerning domain validation methods, and wanted initial input from Forum members.  He started by asking for a response to the open issues noted in the draft that was circulated.

 

The first open issue was the question of Authorized Ports.  The working group recognized that allowing use of any and all ports for a practical demonstration method of domain validation presented security risks, and was looking to limit the number of ports that could be used.  The draft ballot includes a definition of Authorized Ports, with a short list of off the possible ports to be used.  However, the working group was not certain that this list was correct.

 

Jeremy stated that he initially liked the idea of restricting CAs to specific ports, but changed his mind.  He noted that the draft ballot imposed other safeguards for domain validation by practical demonstrations, such as limiting web pages to the well-known directory location and requiring a random value unknown to the customer, so he now believed that there was no need to limit methods to Authorized Ports.  If we are going to limit to Authorized Ports, we need a more comprehensive list, and should get data from all CAs – the current list is too short.

 

Ryan noted that he was one of the original proponents of limiting Authorized Ports, and stated that some CAs are allowing any ports to be used and that successful hacks have occurred.  He did not feel that the other limitations, such as use of a well-known directory and random value, were sufficient to avoid the security risks if any port is allowed for a practical demonstration.

 

Ben stated he previously posted a list of 30 to 40 ports to the Validation Working Group, but the group had not reached any consensus.  Kirk asked Ben to repost his list to the Public list for comments and suggestions, and Ben agreed.

 

Kirk stated the Validation Working Group would take this information into consideration at its meeting next week, then bring the draft ballot back as a real ballot for voting.

 

 



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150910/1ce2f343/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150910/1ce2f343/attachment-0001.bin

More information about the Validation mailing list