[cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Mike Reilly (GRC) Mike.Reilly at microsoft.com
Mon Jul 23 18:51:52 UTC 2018


Hi Tim.  Given our offline discussion and some of the other folks’ comments (e.g. Geoff’s on JIT) the ballot makes better sense now.  Thanks, Mike

From: Tim Shirley <TShirley at trustwave.com>
Sent: Friday, July 20, 2018 2:02 PM
To: Mike Reilly (GRC) <Mike.Reilly at microsoft.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Wayne Thayer <wthayer at mozilla.com>
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines

That one I’m less sure about.  I don’t think I would read that requirement as applying to one-time-use passwords, which I believe is what you’re describing.  But perhaps there’s a way to make that more explicit if others disagree.  I assume it wasn’t intentional to exclude such a use case.

From: "Mike Reilly (GRC)" <Mike.Reilly at microsoft.com<mailto:Mike.Reilly at microsoft.com>>
Date: Friday, July 20, 2018 at 4:41 PM
To: Tim Shirley <TShirley at trustwave.com<mailto:TShirley at trustwave.com>>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>, Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>, CABFPub <public at cabforum.org<mailto:public at cabforum.org>>, Wayne Thayer <wthayer at mozilla.com<mailto:wthayer at mozilla.com>>
Subject: RE: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines

Hi Tim S.  What the last point I made about the use of Just In Time (JIT) admin where all CA access is done with a session password that is deleted when the session ends. So we literally have passwords that last minutes. Once the session ends the password is useless.  That would be a CA policy requiring the password to change based on it’s age, which would be measured in minutes.  Thanks, Mike


From: Tim Shirley <TShirley at trustwave.com<mailto:TShirley at trustwave.com>>
Sent: Friday, July 20, 2018 1:16 PM
To: Mike Reilly (GRC) <Mike.Reilly at microsoft.com<mailto:Mike.Reilly at microsoft.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>; Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>; Wayne Thayer <wthayer at mozilla.com<mailto:wthayer at mozilla.com>>
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines

I don’t think the proposed language has a requirement that the password NOT change.  The requirement is that you don’t have a policy REQUIRING it to change simply based on its age, unless that time period is >= 2 years.  Changing it more frequently than every 2 years in the event of an employee departure or a password compromise would be fine, as presumably would be any arbitrary other criteria the CA might use (I think I saw a drone flying over our data center..  better change those passwords!)  So given that, I don’t think the original 3 concerns apply, as the first 2 (employee departure and password compromise) would be valid alternative reasons to change the password even with the proposed change, and the third (auditors verifying that the password wasn’t changed) wouldn’t be necessary.  The auditor would only verify that there was no time-based policy requiring a regular change; not whether or not a change had been performed.

Tim Shirley
Software Architect
t: +1 412.395.2234

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D4062%26d%3Dj8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuDvfwkQEdA%26s%3D5%26u%3Dhttps%253a%252f%252fna01%252esafelinks%252eprotection%252eoutlook%252ecom%252f%253furl%253dhttp%25253A%25252F%25252Fwww%252etrustwave%252ecom%25252F%2526data%253d02%25257C01%25257CMike%252eReilly%252540microsoft%252ecom%25257Cbe4ed645001a46cdd71d08d5ee7d9c51%25257C72f988bf86f141af91ab2d7cd011db47%25257C1%25257C1%25257C636677145622294651%2526sdata%253dz16wfoijuHAaZQPSTYbZfzY84eEgaMix2vyKOm7GgLE%25253D%2526reserved%253d0&data=02%7C01%7CMike.Reilly%40microsoft.com%7C3d48be4dc6294c3cef4b08d5ee841b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636677173547566241&sdata=JJAAb9BrgDUN75DiTjCq5FNaKKzr3XJpxGdXdVU5l2M%3D&reserved=0>

Recognized by industry analysts as a leader in managed security services<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D4062%26d%3Dj8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuGzYnEUDJg%26s%3D5%26u%3Dhttps%253a%252f%252fna01%252esafelinks%252eprotection%252eoutlook%252ecom%252f%253furl%253dhttps%25253A%25252F%25252Fwww%252etrustwave%252ecom%25252FCompany%25252FAbout-Us%25252FAccolades%25252F%2526data%253d02%25257C01%25257CMike%252eReilly%252540microsoft%252ecom%25257Cbe4ed645001a46cdd71d08d5ee7d9c51%25257C72f988bf86f141af91ab2d7cd011db47%25257C1%25257C1%25257C636677145622304659%2526sdata%253dI1uhJfBS56wS6ucXdsgKXt9DiCImWJLLNwYlKbh5ahg%25253D%2526reserved%253d0&data=02%7C01%7CMike.Reilly%40microsoft.com%7C3d48be4dc6294c3cef4b08d5ee841b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636677173547566241&sdata=t3%2BERzbjp3HatUge2g3YqXsnkEUPbUZTXfvwS1hrhPI%3D&reserved=0>.


From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> on behalf of "Mike Reilly (GRC) via Servercert-wg" <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Reply-To: "Mike Reilly (GRC)" <Mike.Reilly at microsoft.com<mailto:Mike.Reilly at microsoft.com>>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Date: Friday, July 20, 2018 at 2:35 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>, CABFPub <public at cabforum.org<mailto:public at cabforum.org>>, Wayne Thayer <wthayer at mozilla.com<mailto:wthayer at mozilla.com>>
Cc: "servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>" <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines


  *   Any wording that requires a password NOT change within a certain period of time is problematic as there are numerous exceptions and auditing will be a challenge.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180723/459506eb/attachment-0003.html>


More information about the Public mailing list