[Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines

Tim Shirley TShirley at trustwave.com
Fri Jul 20 13:15:56 MST 2018

I don’t think the proposed language has a requirement that the password NOT change.  The requirement is that you don’t have a policy REQUIRING it to change simply based on its age, unless that time period is >= 2 years.  Changing it more frequently than every 2 years in the event of an employee departure or a password compromise would be fine, as presumably would be any arbitrary other criteria the CA might use (I think I saw a drone flying over our data center..  better change those passwords!)  So given that, I don’t think the original 3 concerns apply, as the first 2 (employee departure and password compromise) would be valid alternative reasons to change the password even with the proposed change, and the third (auditors verifying that the password wasn’t changed) wouldn’t be necessary.  The auditor would only verify that there was no time-based policy requiring a regular change; not whether or not a change had been performed.

Tim Shirley
Software Architect
t: +1 412.395.2234


Recognized by industry analysts as a leader in managed security services<https://www.trustwave.com/Company/About-Us/Accolades/>.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of "Mike Reilly (GRC) via Servercert-wg" <servercert-wg at cabforum.org>
Reply-To: "Mike Reilly (GRC)" <Mike.Reilly at microsoft.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Date: Friday, July 20, 2018 at 2:35 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>, CABFPub <public at cabforum.org>, Wayne Thayer <wthayer at mozilla.com>
Cc: "servercert-wg at cabforum.org" <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines

  *   Any wording that requires a password NOT change within a certain period of time is problematic as there are numerous exceptions and auditing will be a challenge.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180720/3ec36387/attachment.html>

More information about the Servercert-wg mailing list