[cabfpub] [cabfman] Ballot[83] - Adopt Network and Certificate System Security Requirements

Ryan Hurst ryan.hurst at globalsign.com
Thu Aug 2 00:54:19 MST 2012 

Unfortunately GlobalSign has to vote Abstain at this point.

 

This document has made a ton of progress but still has a few implementation specific gotchas, for example:

 

“For accounts that are accessible from outside a Secure Zone or High Security Zone, require that passwords have at least eight (8) characters, be changed at least every 90 days, use a combination of at least numeric and alphabetic characters, that are not a dictionary word or on a list of previously disclosed human-generated passwords, and not be one of the user’s previous four passwords; and implement account lockout for failed access attempts in accordance with”

 

I suspect an auditor will read “password” and apply the same rules to “pins” on smartcards where the word list and previous password vectors are mitigated  by the smartcards lockout mechanism vs checking the pin with some central system for these conditions as is required for passwords.

 

There are a few examples of this, all of which look like they could be addressed with additional definitions so there is no reading between the lines needed when it comes to audits.

 

Ryan 

 

From: management-bounces at cabforum.org [mailto:management-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Wednesday, August 01, 2012 11:35 AM
To: 'management at cabforum.org'
Cc: CABFPub
Subject: Re: [cabfman] [cabfpub] Ballot[83] - Adopt Network and Certificate System Security Requirements

 

StartCom votes ABSTAIN

The effort is excellent, but might be difficult to implement and audit as a requirement rather than best practice. I believe some parts of the proposed requirements should be incorporated into the BR, respectively EV guidelines, whereas others should remain as best practice instructions for the CAs to follow.

On 07/23/2012 04:22 PM, From Tim Moses: 

Ben Wilson made the following motion, and Bill Madell and Rick Andrews endorsed it:

Motion begins

As of 1 January 2013 (“Effective Date”), the CA/Browser Forum adopts the “Network and Certificate System Security Requirements” Ballot Draft 1 (available here:  <https://www.cabforum.org/wiki/Balloted%20Drafts> https://www.cabforum.org/wiki/Balloted%20Drafts) as Version 1.0. Upon adoption the Ballot Draft shall be assigned a version number of 1.0 and be posted as a Forum Guideline to the cabforum.org Web site.

The members request that those members who have worked on the Network and Certificate System Security Requirements coordinate with the  <https://www.cabforum.org/wiki/WebTrust> WebTrust Task Force and ETSI and work on adaptations of the Network and Certificate System Security Requirements that can be incorporated into the respective  <https://www.cabforum.org/wiki/WebTrust> WebTrust and ETSI audit criteria as soon as feasible.

The ballot review period comes into effect at 2100 UTC on 20 July '12 and will close at 2100 UTC on 27 July '12. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2100 UTC on 3 Aug '12. Votes must be cast by posting an on-list reply to this thread.

Motion ends

A vote in favour of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Voting members are listed here:

 <http://www.cabforum.org/forum.html> http://www.cabforum.org/forum.html

with the addition of  <https://www.cabforum.org/wiki/TrendMicro> TrendMicro.

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and one half or more of the votes cast by members in the browser category must be in favour. Also, at least seven members must participate in the ballot, either by voting in favour, voting against or abstaining.

 

 

T: +1 613 270 3183

 






_______________________________________________
Public mailing list
Public at cabforum.org
http://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120802/1a9cfbc2/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4276 bytes
Desc: not available
Url : http://cabforum.org/pipermail/public/attachments/20120802/1a9cfbc2/attachment-0001.bin

More information about the Public mailing list