I don’t think the proposed language has a requirement that the password NOT change. The requirement is that you don’t have a policy REQUIRING it to change simply based on its age, unless that time period is >= 2 years. Changing it more frequently than every 2 years in the event of an employee departure or a password compromise would be fine, as presumably would be any arbitrary other criteria the CA might use (I think I saw a drone flying over our data center.. better change those passwords!) So given that, I don’t think the original 3 concerns apply, as the first 2 (employee departure and password compromise) would be valid alternative reasons to change the password even with the proposed change, and the third (auditors verifying that the password wasn’t changed) wouldn’t be necessary. The auditor would only verify that there was no time-based policy requiring a regular change; not whether or not a change had been performed.
Tim Shirley Software Architect t: +1 412.395.2234 Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services<https://www.trustwave.com/Company/About-Us/Accolades/>. From: Servercert-wg <[email protected]> on behalf of "Mike Reilly (GRC) via Servercert-wg" <[email protected]> Reply-To: "Mike Reilly (GRC)" <[email protected]>, CA/B Forum Server Certificate WG Public Discussion List <[email protected]> Date: Friday, July 20, 2018 at 2:35 PM To: Tim Hollebeek <[email protected]>, CABFPub <[email protected]>, Wayne Thayer <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines * Any wording that requires a password NOT change within a certain period of time is problematic as there are numerous exceptions and auditing will be a challenge.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
