[Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines

Wayne Thayer wthayer at mozilla.com
Fri Jul 13 09:23:50 MST 2018 

On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> Do you have proposed modifications that would address these questions?  I
> would be happy to incorporate them.
>
>
>

How about this:

  iv.         Frequent password changes have been shown to cause users to
select less

               secure passwords.  If the CA has any policy that specifies
routine periodic password changes,

               that period SHOULD NOT be less than two years.  Effective
April 1, 2020,

               if the CA has any policy that requires routine periodic
password changes, that period SHALL NOT

               be less than two years."

*From:* Wayne Thayer [mailto:wthayer at mozilla.com]
> *Sent:* Thursday, July 12, 2018 7:35 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Cc:* Adriano Santoni <adriano.santoni at staff.aruba.it>;
> servercert-wg at cabforum.org
> *Subject:* Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> How are the concerns that were raised by Microsoft (copied below for
> reference) addressed in this version? If the intent is for the language in
> section 2.g(iv) to only apply to periodic, policy-driven password changes
> and not to prevent event-driven changes, I think that should be clarified.
>
>
>
> * How would auditors verify and prove that a CA did not change a password
> more frequently than two years? This is trying to prove a negative.
> * What about when a CA employee leaves who knows the password which
> requires it to be change in less than two years?
> * What about if the password is compromised and needs to be changed in
> less than two years?
>
>
>
> - Wayne
>
>
>
> <https://cabforum.org/mailman/listinfo/public>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180713/f2eaec3b/attachment.html>

More information about the Servercert-wg mailing list