Hi Tim. Given our offline discussion and some of the other folks’ comments (e.g. Geoff’s on JIT) the ballot makes better sense now. Thanks, Mike
From: Tim Shirley <[email protected]> Sent: Friday, July 20, 2018 2:02 PM To: Mike Reilly (GRC) <[email protected]>; CA/B Forum Server Certificate WG Public Discussion List <[email protected]>; Tim Hollebeek <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]>; Wayne Thayer <[email protected]> Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines That one I’m less sure about. I don’t think I would read that requirement as applying to one-time-use passwords, which I believe is what you’re describing. But perhaps there’s a way to make that more explicit if others disagree. I assume it wasn’t intentional to exclude such a use case. From: "Mike Reilly (GRC)" <[email protected]<mailto:[email protected]>> Date: Friday, July 20, 2018 at 4:41 PM To: Tim Shirley <[email protected]<mailto:[email protected]>>, CA/B Forum Server Certificate WG Public Discussion List <[email protected]<mailto:[email protected]>>, Tim Hollebeek <[email protected]<mailto:[email protected]>>, CABFPub <[email protected]<mailto:[email protected]>>, Wayne Thayer <[email protected]<mailto:[email protected]>> Subject: RE: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines Hi Tim S. What the last point I made about the use of Just In Time (JIT) admin where all CA access is done with a session password that is deleted when the session ends. So we literally have passwords that last minutes. Once the session ends the password is useless. That would be a CA policy requiring the password to change based on it’s age, which would be measured in minutes. Thanks, Mike From: Tim Shirley <[email protected]<mailto:[email protected]>> Sent: Friday, July 20, 2018 1:16 PM To: Mike Reilly (GRC) <[email protected]<mailto:[email protected]>>; CA/B Forum Server Certificate WG Public Discussion List <[email protected]<mailto:[email protected]>>; Tim Hollebeek <[email protected]<mailto:[email protected]>>; CA/Browser Forum Public Discussion List <[email protected]<mailto:[email protected]>>; Wayne Thayer <[email protected]<mailto:[email protected]>> Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines I don’t think the proposed language has a requirement that the password NOT change. The requirement is that you don’t have a policy REQUIRING it to change simply based on its age, unless that time period is >= 2 years. Changing it more frequently than every 2 years in the event of an employee departure or a password compromise would be fine, as presumably would be any arbitrary other criteria the CA might use (I think I saw a drone flying over our data center.. better change those passwords!) So given that, I don’t think the original 3 concerns apply, as the first 2 (employee departure and password compromise) would be valid alternative reasons to change the password even with the proposed change, and the third (auditors verifying that the password wasn’t changed) wouldn’t be necessary. The auditor would only verify that there was no time-based policy requiring a regular change; not whether or not a change had been performed. Tim Shirley Software Architect t: +1 412.395.2234 Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D4062%26d%3Dj8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuDvfwkQEdA%26s%3D5%26u%3Dhttps%253a%252f%252fna01%252esafelinks%252eprotection%252eoutlook%252ecom%252f%253furl%253dhttp%25253A%25252F%25252Fwww%252etrustwave%252ecom%25252F%2526data%253d02%25257C01%25257CMike%252eReilly%252540microsoft%252ecom%25257Cbe4ed645001a46cdd71d08d5ee7d9c51%25257C72f988bf86f141af91ab2d7cd011db47%25257C1%25257C1%25257C636677145622294651%2526sdata%253dz16wfoijuHAaZQPSTYbZfzY84eEgaMix2vyKOm7GgLE%25253D%2526reserved%253d0&data=02%7C01%7CMike.Reilly%40microsoft.com%7C3d48be4dc6294c3cef4b08d5ee841b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636677173547566241&sdata=JJAAb9BrgDUN75DiTjCq5FNaKKzr3XJpxGdXdVU5l2M%3D&reserved=0> Recognized by industry analysts as a leader in managed security services<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D4062%26d%3Dj8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuGzYnEUDJg%26s%3D5%26u%3Dhttps%253a%252f%252fna01%252esafelinks%252eprotection%252eoutlook%252ecom%252f%253furl%253dhttps%25253A%25252F%25252Fwww%252etrustwave%252ecom%25252FCompany%25252FAbout-Us%25252FAccolades%25252F%2526data%253d02%25257C01%25257CMike%252eReilly%252540microsoft%252ecom%25257Cbe4ed645001a46cdd71d08d5ee7d9c51%25257C72f988bf86f141af91ab2d7cd011db47%25257C1%25257C1%25257C636677145622304659%2526sdata%253dI1uhJfBS56wS6ucXdsgKXt9DiCImWJLLNwYlKbh5ahg%25253D%2526reserved%253d0&data=02%7C01%7CMike.Reilly%40microsoft.com%7C3d48be4dc6294c3cef4b08d5ee841b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636677173547566241&sdata=t3%2BERzbjp3HatUge2g3YqXsnkEUPbUZTXfvwS1hrhPI%3D&reserved=0>. From: Servercert-wg <[email protected]<mailto:[email protected]>> on behalf of "Mike Reilly (GRC) via Servercert-wg" <[email protected]<mailto:[email protected]>> Reply-To: "Mike Reilly (GRC)" <[email protected]<mailto:[email protected]>>, CA/B Forum Server Certificate WG Public Discussion List <[email protected]<mailto:[email protected]>> Date: Friday, July 20, 2018 at 2:35 PM To: Tim Hollebeek <[email protected]<mailto:[email protected]>>, CABFPub <[email protected]<mailto:[email protected]>>, Wayne Thayer <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network Security Guidelines * Any wording that requires a password NOT change within a certain period of time is problematic as there are numerous exceptions and auditing will be a challenge.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
