Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

[Mike Reilly (GRC) via Public]

Tim and Wayne, I believe making this a requirement will be problematic as I 
commented on with the original ballot (at bottom of thread).  So language would 
need to be as shown below. Thanks, Mike

  iv.         Frequent password changes have been shown to cause users to 
select less
               secure passwords.  If the CA has any policy that specifies 
routine periodic password changes,
               that period SHOULD NOT be less than two years.  Effective April 
1, 2020,
               if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT
               be less than two years."

From: Public <public-boun...@cabforum.org> On Behalf Of Tim Hollebeek via Public
Sent: Friday, July 13, 2018 3:49 PM
To: Wayne Thayer <wtha...@mozilla.com>
Cc: servercert...@cabforum.org; CA/Browser Forum Public Discussion List 
<public@cabforum.org>
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

Works for me.  I’ll update the ballot.

-Tim

From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: Friday, July 13, 2018 12:24 PM
To: Tim Hollebeek 
<tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>>
Cc: CA/Browser Forum Public Discussion List 
<public@cabforum.org<mailto:public@cabforum.org>>; 
servercert...@cabforum.org<mailto:servercert...@cabforum.org>
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek 
<tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>> wrote:
Do you have proposed modifications that would address these questions?  I would 
be happy to incorporate them.


How about this:

  iv.         Frequent password changes have been shown to cause users to 
select less
               secure passwords.  If the CA has any policy that specifies 
routine periodic password changes,
               that period SHOULD NOT be less than two years.  Effective April 
1, 2020,
               if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT
               be less than two years."

From: Wayne Thayer [mailto:wtha...@mozilla.com<mailto:wtha...@mozilla.com>]
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek 
<tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>>; CA/Browser 
Forum Public Discussion List <public@cabforum.org<mailto:public@cabforum.org>>
Cc: Adriano Santoni 
<adriano.sant...@staff.aruba.it<mailto:adriano.sant...@staff.aruba.it>>; 
servercert...@cabforum.org<mailto:servercert...@cabforum.org>
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

How are the concerns that were raised by Microsoft (copied below for reference) 
addressed in this version? If the intent is for the language in section 2.g(iv) 
to only apply to periodic, policy-driven password changes and not to prevent 
event-driven changes, I think that should be clarified.

* How would auditors verify and prove that a CA did not change a password more 
frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which requires it 
to be change in less than two years?
* What about if the password is compromised and needs to be changed in less 
than two years?

- Wayne


_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public