[cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Ryan Sleevi sleevi at google.com
Sat Jul 14 19:07:23 MST 2018


As Tim has pointed out, the frequent rotation is actively known to result
in weaker security passwords.

Part of the goal of the CA/Browser Forum is to ensure that Relying Parties
- the billions of users who depend on certificates to be correctly issued -
are protected. The past several years have demonstrated that CA teams' (as
a collective industry, across all members) risk analysis is simply not up
to the necessary standards of trust. Further, it's been shown that without
normative guidance, then what matters is not what the 'best' CA does, but
what the 'worst' CA does.

This is not about the CA/Browser Forum leading the overall security
industry in any way. This is such well-established practice at this point,
that it's a sign of the CA/Browser Forum permitting or encouraging
technological superstition as a way to keep the monsters at bay, rather
than taking concrete steps to improve security.

On Sat, Jul 14, 2018 at 3:10 AM Tim Hollebeek via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Mike,
>
>
>
> Is there a finite number of years larger than two you could get behind?
>
>
>
> -Tim
>
>
>
> *From:* Mike Reilly (GRC) [mailto:Mike.Reilly at microsoft.com]
> *Sent:* Friday, July 13, 2018 7:39 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>; Wayne Thayer <wthayer at mozilla.com>
> *Cc:* servercert-wg at cabforum.org
> *Subject:* RE: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> Tim and Wayne, I believe making this a requirement will be problematic as
> I commented on with the original ballot (at bottom of thread).  So language
> would need to be as shown below. Thanks, Mike
>
>
>
>   iv.         Frequent password changes have been shown to cause users to
> select less
>
>                secure passwords.  If the CA has any policy that specifies
> routine periodic password changes,
>
>                that period SHOULD NOT be less than two years.  Effective
> April 1, 2020,
>
>                if the CA has any policy that requires routine periodic
> password changes, that period SHALL NOT
>
>                be less than two years."
>
>
>
> *From:* Public <public-bounces at cabforum.org> *On Behalf Of *Tim Hollebeek
> via Public
> *Sent:* Friday, July 13, 2018 3:49 PM
> *To:* Wayne Thayer <wthayer at mozilla.com>
> *Cc:* servercert-wg at cabforum.org; CA/Browser Forum Public Discussion List
> <public at cabforum.org>
> *Subject:* Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> Works for me.  I’ll update the ballot.
>
>
>
> -Tim
>
>
>
> *From:* Wayne Thayer [mailto:wthayer at mozilla.com <wthayer at mozilla.com>]
> *Sent:* Friday, July 13, 2018 12:24 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>;
> servercert-wg at cabforum.org
> *Subject:* Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek <tim.hollebeek at digicert.com>
> wrote:
>
> Do you have proposed modifications that would address these questions?  I
> would be happy to incorporate them.
>
>
>
>
>
> How about this:
>
>
>
>   iv.         Frequent password changes have been shown to cause users to
> select less
>
>                secure passwords.  If the CA has any policy that specifies
> routine periodic password changes,
>
>                that period SHOULD NOT be less than two years.  Effective
> April 1, 2020,
>
>                if the CA has any policy that requires routine periodic
> password changes, that period SHALL NOT
>
>                be less than two years."
>
>
>
> *From:* Wayne Thayer [mailto:wthayer at mozilla.com]
> *Sent:* Thursday, July 12, 2018 7:35 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Cc:* Adriano Santoni <adriano.santoni at staff.aruba.it>;
> servercert-wg at cabforum.org
> *Subject:* Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> How are the concerns that were raised by Microsoft (copied below for
> reference) addressed in this version? If the intent is for the language in
> section 2.g(iv) to only apply to periodic, policy-driven password changes
> and not to prevent event-driven changes, I think that should be clarified.
>
>
>
> * How would auditors verify and prove that a CA did not change a password
> more frequently than two years? This is trying to prove a negative.
> * What about when a CA employee leaves who knows the password which
> requires it to be change in less than two years?
> * What about if the password is compromised and needs to be changed in
> less than two years?
>
>
>
> - Wayne
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180714/d7c93be7/attachment.html>


More information about the Public mailing list