<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:990400605;
mso-list-template-ids:-1806137070;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1135560883;
mso-list-template-ids:1540395972;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi Tim. Given our offline discussion and some of the other folks’ comments (e.g. Geoff’s on JIT) the ballot makes better sense now. Thanks, Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Tim Shirley <TShirley@trustwave.com> <br>
<b>Sent:</b> Friday, July 20, 2018 2:02 PM<br>
<b>To:</b> Mike Reilly (GRC) <Mike.Reilly@microsoft.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org>; Tim Hollebeek <tim.hollebeek@digicert.com>; CA/Browser Forum Public Discussion List <public@cabforum.org>; Wayne
Thayer <wthayer@mozilla.com><br>
<b>Subject:</b> Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That one I’m less sure about. I don’t think I would read that requirement as applying to one-time-use passwords, which I believe is what you’re describing. But perhaps there’s a way to make that more explicit if others disagree. I assume
it wasn’t intentional to exclude such a use case.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">"Mike Reilly (GRC)" <<a href="mailto:Mike.Reilly@microsoft.com">Mike.Reilly@microsoft.com</a>><br>
<b>Date: </b>Friday, July 20, 2018 at 4:41 PM<br>
<b>To: </b>Tim Shirley <<a href="mailto:TShirley@trustwave.com">TShirley@trustwave.com</a>>, CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>>, Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>,
CABFPub <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>, Wayne Thayer <<a href="mailto:wthayer@mozilla.com">wthayer@mozilla.com</a>><br>
<b>Subject: </b>RE: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Hi Tim S. What the last point I made about the use of Just In Time (JIT) admin where all CA access is done with a session password that is deleted when the session ends. So we literally have passwords that last minutes. Once the session
ends the password is useless. That would be a CA policy requiring the password to change based on it’s age, which would be measured in minutes. Thanks, Mike<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Tim Shirley <<a href="mailto:TShirley@trustwave.com">TShirley@trustwave.com</a>>
<br>
<b>Sent:</b> Friday, July 20, 2018 1:16 PM<br>
<b>To:</b> Mike Reilly (GRC) <<a href="mailto:Mike.Reilly@microsoft.com">Mike.Reilly@microsoft.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>;
CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>; Wayne Thayer <<a href="mailto:wthayer@mozilla.com">wthayer@mozilla.com</a>><br>
<b>Subject:</b> Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I don’t think the proposed language has a requirement that the password NOT change. The requirement is that you don’t have a policy REQUIRING it to change simply based on its age, unless that time period is >= 2 years. Changing it more
frequently than every 2 years in the event of an employee departure or a password compromise would be fine, as presumably would be any arbitrary other criteria the CA might use (I think I saw a drone flying over our data center.. better change those passwords!)
So given that, I don’t think the original 3 concerns apply, as the first 2 (employee departure and password compromise) would be valid alternative reasons to change the password even with the proposed change, and the third (auditors verifying that the password
wasn’t changed) wouldn’t be necessary. The auditor would only verify that there was no time-based policy requiring a regular change; not whether or not a change had been performed.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#00A1D0">Tim Shirley </span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#6B6C6E">Software Architect</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#6B6C6E">t: +1 412.395.2234</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#6B6C6E"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#00A1D0">Trustwave</span></b><b><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#6B6C6E">
</span></b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#6B6C6E">| </span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#6B6C6E">SMART SECURITY ON DEMAND</span><o:p></o:p></p>
<p class="MsoNormal"><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#6B6C6E"><a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D4062%26d%3Dj8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuDvfwkQEdA%26s%3D5%26u%3Dhttps%253a%252f%252fna01%252esafelinks%252eprotection%252eoutlook%252ecom%252f%253furl%253dhttp%25253A%25252F%25252Fwww%252etrustwave%252ecom%25252F%2526data%253d02%25257C01%25257CMike%252eReilly%252540microsoft%252ecom%25257Cbe4ed645001a46cdd71d08d5ee7d9c51%25257C72f988bf86f141af91ab2d7cd011db47%25257C1%25257C1%25257C636677145622294651%2526sdata%253dz16wfoijuHAaZQPSTYbZfzY84eEgaMix2vyKOm7GgLE%25253D%2526reserved%253d0&data=02%7C01%7CMike.Reilly%40microsoft.com%7C3d48be4dc6294c3cef4b08d5ee841b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636677173547566241&sdata=JJAAb9BrgDUN75DiTjCq5FNaKKzr3XJpxGdXdVU5l2M%3D&reserved=0">www.trustwave.com</a></span></u><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#6B6C6E"> </span><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#6C6C6E">Recognized by industry analysts as a
</span></i><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#6C6C6E"><a href="https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D4062%26d%3Dj8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuGzYnEUDJg%26s%3D5%26u%3Dhttps%253a%252f%252fna01%252esafelinks%252eprotection%252eoutlook%252ecom%252f%253furl%253dhttps%25253A%25252F%25252Fwww%252etrustwave%252ecom%25252FCompany%25252FAbout-Us%25252FAccolades%25252F%2526data%253d02%25257C01%25257CMike%252eReilly%252540microsoft%252ecom%25257Cbe4ed645001a46cdd71d08d5ee7d9c51%25257C72f988bf86f141af91ab2d7cd011db47%25257C1%25257C1%25257C636677145622304659%2526sdata%253dI1uhJfBS56wS6ucXdsgKXt9DiCImWJLLNwYlKbh5ahg%25253D%2526reserved%253d0&data=02%7C01%7CMike.Reilly%40microsoft.com%7C3d48be4dc6294c3cef4b08d5ee841b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636677173547566241&sdata=t3%2BERzbjp3HatUge2g3YqXsnkEUPbUZTXfvwS1hrhPI%3D&reserved=0"><i><span style="color:#0079CD">leader
in managed security services</span></i></a></span><i><u><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#0079CD">.</span></u></i><o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org">servercert-wg-bounces@cabforum.org</a>> on behalf of "Mike Reilly
(GRC) via Servercert-wg" <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>><br>
<b>Reply-To: </b>"Mike Reilly (GRC)" <<a href="mailto:Mike.Reilly@microsoft.com">Mike.Reilly@microsoft.com</a>>, CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>><br>
<b>Date: </b>Friday, July 20, 2018 at 2:35 PM<br>
<b>To: </b>Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>, CABFPub <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>, Wayne Thayer <<a href="mailto:wthayer@mozilla.com">wthayer@mozilla.com</a>><br>
<b>Cc: </b>"<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>" <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>><br>
<b>Subject: </b>Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<ul style="margin-top:0in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px" type="disc">
<li class="MsoNormal" style="color:black;mso-list:l1 level1 lfo3">Any wording that requires a password NOT change within a certain period of time is problematic as there are numerous exceptions and auditing will be a challenge.<o:p></o:p></li></ul>
</div>
</body>
</html>