[cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Tim Hollebeek tim.hollebeek at digicert.com
Sat Jul 14 00:09:40 MST 2018


Mike,

 

Is there a finite number of years larger than two you could get behind?

 

-Tim

 

From: Mike Reilly (GRC) [mailto:Mike.Reilly at microsoft.com] 
Sent: Friday, July 13, 2018 7:39 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Wayne Thayer <wthayer at mozilla.com>
Cc: servercert-wg at cabforum.org
Subject: RE: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

 

Tim and Wayne, I believe making this a requirement will be problematic as I commented on with the original ballot (at bottom of thread).  So language would need to be as shown below. Thanks, Mike

 

  iv.         Frequent password changes have been shown to cause users to select less 

               secure passwords.  If the CA has any policy that specifies routine periodic password changes, 

               that period SHOULD NOT be less than two years.  Effective April 1, 2020, 

               if the CA has any policy that requires routine periodic password changes, that period SHALL NOT 

               be less than two years."

 

From: Public <public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> > On Behalf Of Tim Hollebeek via Public
Sent: Friday, July 13, 2018 3:49 PM
To: Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> >
Cc: servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> ; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

 

Works for me.  I’ll update the ballot.

 

-Tim

 

From: Wayne Thayer [mailto:wthayer at mozilla.com] 
Sent: Friday, July 13, 2018 12:24 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >; servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> 
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

 

On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > wrote:

Do you have proposed modifications that would address these questions?  I would be happy to incorporate them.

 

 

How about this:

 

  iv.         Frequent password changes have been shown to cause users to select less 

               secure passwords.  If the CA has any policy that specifies routine periodic password changes, 

               that period SHOULD NOT be less than two years.  Effective April 1, 2020, 

               if the CA has any policy that requires routine periodic password changes, that period SHALL NOT 

               be less than two years."

 

From: Wayne Thayer [mailto:wthayer at mozilla.com <mailto:wthayer at mozilla.com> ] 
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Cc: Adriano Santoni <adriano.santoni at staff.aruba.it <mailto:adriano.santoni at staff.aruba.it> >; servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> 
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

 

How are the concerns that were raised by Microsoft (copied below for reference) addressed in this version? If the intent is for the language in section 2.g(iv) to only apply to periodic, policy-driven password changes and not to prevent event-driven changes, I think that should be clarified.

 

* How would auditors verify and prove that a CA did not change a password more frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which requires it to be change in less than two years?
* What about if the password is compromised and needs to be changed in less than two years?

 

- Wayne

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180714/5da7f6d6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180714/5da7f6d6/attachment-0001.p7s>


More information about the Public mailing list