subject:"\[cabfpub\] \[Servercert\-wg\] Ballot SC3\: Improvements to Network Security Guidelines"

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-23 Thread Mike Reilly (GRC) via Public

Hi Tim.  Given our offline discussion and some of the other folks’ comments 
(e.g. Geoff’s on JIT) the ballot makes better sense now.  Thanks, Mike

From: Tim Shirley 
Sent: Friday, July 20, 2018 2:02 PM
To: Mike Reilly (GRC) ; CA/B Forum Server 
Certificate WG Public Discussion List ; Tim 
Hollebeek ; CA/Browser Forum Public Discussion List 
; Wayne Thayer 
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

That one I’m less sure about.  I don’t think I would read that requirement as 
applying to one-time-use passwords, which I believe is what you’re describing.  
But perhaps there’s a way to make that more explicit if others disagree.  I 
assume it wasn’t intentional to exclude such a use case.

From: "Mike Reilly (GRC)" 
mailto:mike.rei...@microsoft.com>>
Date: Friday, July 20, 2018 at 4:41 PM
To: Tim Shirley mailto:tshir...@trustwave.com>>, CA/B 
Forum Server Certificate WG Public Discussion List 
mailto:servercert...@cabforum.org>>, Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>, CABFPub 
mailto:public@cabforum.org>>, Wayne Thayer 
mailto:wtha...@mozilla.com>>
Subject: RE: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

Hi Tim S.  What the last point I made about the use of Just In Time (JIT) admin 
where all CA access is done with a session password that is deleted when the 
session ends. So we literally have passwords that last minutes. Once the 
session ends the password is useless.  That would be a CA policy requiring the 
password to change based on it’s age, which would be measured in minutes.  
Thanks, Mike

From: Tim Shirley mailto:tshir...@trustwave.com>>
Sent: Friday, July 20, 2018 1:16 PM
To: Mike Reilly (GRC) 
mailto:mike.rei...@microsoft.com>>; CA/B Forum 
Server Certificate WG Public Discussion List 
mailto:servercert...@cabforum.org>>; Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>; CA/Browser 
Forum Public Discussion List mailto:public@cabforum.org>>; 
Wayne Thayer mailto:wtha...@mozilla.com>>
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

I don’t think the proposed language has a requirement that the password NOT 
change.  The requirement is that you don’t have a policy REQUIRING it to change 
simply based on its age, unless that time period is >= 2 years.  Changing it 
more frequently than every 2 years in the event of an employee departure or a 
password compromise would be fine, as presumably would be any arbitrary other 
criteria the CA might use (I think I saw a drone flying over our data center..  
better change those passwords!)  So given that, I don’t think the original 3 
concerns apply, as the first 2 (employee departure and password compromise) 
would be valid alternative reasons to change the password even with the 
proposed change, and the third (auditors verifying that the password wasn’t 
changed) wouldn’t be necessary.  The auditor would only verify that there was 
no time-based policy requiring a regular change; not whether or not a change 
had been performed.

Tim Shirley
Software Architect
t: +1 412.395.2234

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D4062%26d%3Dj8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuDvfwkQEdA%26s%3D5%26u%3Dhttps%253a%252f%252fna01%252esafelinks%252eprotection%252eoutlook%252ecom%252f%253furl%253dhttp%25253A%25252F%25252Fwww%252etrustwave%252ecom%25252F%2526data%253d02%25257C01%25257CMike%252eReilly%252540microsoft%252ecom%25257Cbe4ed645001a46cdd71d08d5ee7d9c51%25257C72f988bf86f141af91ab2d7cd011db47%25257C1%25257C1%25257C636677145622294651%2526sdata%253dz16wfoijuHAaZQPSTYbZfzY84eEgaMix2vyKOm7GgLE%25253D%2526reserved%253d0=02%7C01%7CMike.Reilly%40microsoft.com%7C3d48be4dc6294c3cef4b08d5ee841b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636677173547566241=JJAAb9BrgDUN75DiTjCq5FNaKKzr3XJpxGdXdVU5l2M%3D=0>

Recognized by industry analysts as a leader in managed security 
services<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D4062%26d%3Dj8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuGzYnEUDJg%26s%3D5%26u%3Dhttps%253a%252f%252fna01%252esafelinks%252eprotection%252eoutlook%252ecom%252f%253furl%253dhttps%25253A%25252F%25252Fwww%252etrustwave%252ecom%25252FCompany%25252FAbout-Us%25252FAccolades%25252F%2526data%253d02%25257C01%25257CMike%252eReilly%252540microsoft%252ecom%25257Cbe4ed645001a46cdd71d08d5ee7d9c51%25257C72f988bf86f141af91ab2d7cd011db47%25257C1%25257C1%25257C636677145622304659%2526sdata%253dI1uhJfBS56wS6ucXdsgKXt9DiCImWJLLNwYlKbh5ahg%25253D%2526reserved%253d0=02%7C01%7CMike.Reilly%40microsoft.com%7C3d48be4dc6294c3cef4b08d5ee841b7c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636677173547566241=t3%2BERzbjp3HatUge2g3YqXsnkEUPbUZTXfvwS1hrhPI%3D=0>.

From: Servercert-w

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-20 Thread Geoff Keating via Public


> On 20 Jul 2018, at 1:41 pm, Mike Reilly (GRC) via Public 
>  wrote:
> 
> Hi Tim S.  What the last point I made about the use of Just In Time (JIT) 
> admin where all CA access is done with a session password that is deleted 
> when the session ends. So we literally have passwords that last minutes. Once 
> the session ends the password is useless.  That would be a CA policy 
> requiring the password to change based on it’s age, which would be measured 
> in minutes.  Thanks, Mike

That wouldn’t be a ‘periodic’ change, because the password isn’t changed, it’s 
deleted, and because it only happens once.

smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-20 Thread Tim Shirley via Public

That one I’m less sure about.  I don’t think I would read that requirement as 
applying to one-time-use passwords, which I believe is what you’re describing.  
But perhaps there’s a way to make that more explicit if others disagree.  I 
assume it wasn’t intentional to exclude such a use case.

From: "Mike Reilly (GRC)" 
Date: Friday, July 20, 2018 at 4:41 PM
To: Tim Shirley , CA/B Forum Server Certificate WG 
Public Discussion List , Tim Hollebeek 
, CABFPub , Wayne Thayer 

Subject: RE: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

Hi Tim S.  What the last point I made about the use of Just In Time (JIT) admin 
where all CA access is done with a session password that is deleted when the 
session ends. So we literally have passwords that last minutes. Once the 
session ends the password is useless.  That would be a CA policy requiring the 
password to change based on it’s age, which would be measured in minutes.  
Thanks, Mike

From: Tim Shirley 
Sent: Friday, July 20, 2018 1:16 PM
To: Mike Reilly (GRC) ; CA/B Forum Server 
Certificate WG Public Discussion List ; Tim 
Hollebeek ; CA/Browser Forum Public Discussion List 
; Wayne Thayer 
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

I don’t think the proposed language has a requirement that the password NOT 
change.  The requirement is that you don’t have a policy REQUIRING it to change 
simply based on its age, unless that time period is >= 2 years.  Changing it 
more frequently than every 2 years in the event of an employee departure or a 
password compromise would be fine, as presumably would be any arbitrary other 
criteria the CA might use (I think I saw a drone flying over our data center..  
better change those passwords!)  So given that, I don’t think the original 3 
concerns apply, as the first 2 (employee departure and password compromise) 
would be valid alternative reasons to change the password even with the 
proposed change, and the third (auditors verifying that the password wasn’t 
changed) wouldn’t be necessary.  The auditor would only verify that there was 
no time-based policy requiring a regular change; not whether or not a change 
had been performed.

Tim Shirley
Software Architect
t: +1 412.395.2234

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<https://scanmail.trustwave.com/?c=4062=j8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuDvfwkQEdA=5=https%3a%2f%2fna01%2esafelinks%2eprotection%2eoutlook%2ecom%2f%3furl%3dhttp%253A%252F%252Fwww%2etrustwave%2ecom%252F%26data%3d02%257C01%257CMike%2eReilly%2540microsoft%2ecom%257Cbe4ed645001a46cdd71d08d5ee7d9c51%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C1%257C636677145622294651%26sdata%3dz16wfoijuHAaZQPSTYbZfzY84eEgaMix2vyKOm7GgLE%253D%26reserved%3d0>

Recognized by industry analysts as a leader in managed security 
services<https://scanmail.trustwave.com/?c=4062=j8nS238UZnL2IlLwbeXP9kOIPzj_JvbmuGzYnEUDJg=5=https%3a%2f%2fna01%2esafelinks%2eprotection%2eoutlook%2ecom%2f%3furl%3dhttps%253A%252F%252Fwww%2etrustwave%2ecom%252FCompany%252FAbout-Us%252FAccolades%252F%26data%3d02%257C01%257CMike%2eReilly%2540microsoft%2ecom%257Cbe4ed645001a46cdd71d08d5ee7d9c51%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C1%257C636677145622304659%26sdata%3dI1uhJfBS56wS6ucXdsgKXt9DiCImWJLLNwYlKbh5ahg%253D%26reserved%3d0>.

From: Servercert-wg 
mailto:servercert-wg-boun...@cabforum.org>> 
on behalf of "Mike Reilly (GRC) via Servercert-wg" 
mailto:servercert...@cabforum.org>>
Reply-To: "Mike Reilly (GRC)" 
mailto:mike.rei...@microsoft.com>>, CA/B Forum 
Server Certificate WG Public Discussion List 
mailto:servercert...@cabforum.org>>
Date: Friday, July 20, 2018 at 2:35 PM
To: Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>, CABFPub 
mailto:public@cabforum.org>>, Wayne Thayer 
mailto:wtha...@mozilla.com>>
Cc: "servercert...@cabforum.org<mailto:servercert...@cabforum.org>" 
mailto:servercert...@cabforum.org>>
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

  *   Any wording that requires a password NOT change within a certain period 
of time is problematic as there are numerous exceptions and auditing will be a 
challenge.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-20 Thread Mike Reilly (GRC) via Public

Hi Tim S.  What the last point I made about the use of Just In Time (JIT) admin 
where all CA access is done with a session password that is deleted when the 
session ends. So we literally have passwords that last minutes. Once the 
session ends the password is useless.  That would be a CA policy requiring the 
password to change based on it’s age, which would be measured in minutes.  
Thanks, Mike


From: Tim Shirley 
Sent: Friday, July 20, 2018 1:16 PM
To: Mike Reilly (GRC) ; CA/B Forum Server 
Certificate WG Public Discussion List ; Tim 
Hollebeek ; CA/Browser Forum Public Discussion List 
; Wayne Thayer 
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

I don’t think the proposed language has a requirement that the password NOT 
change.  The requirement is that you don’t have a policy REQUIRING it to change 
simply based on its age, unless that time period is >= 2 years.  Changing it 
more frequently than every 2 years in the event of an employee departure or a 
password compromise would be fine, as presumably would be any arbitrary other 
criteria the CA might use (I think I saw a drone flying over our data center..  
better change those passwords!)  So given that, I don’t think the original 3 
concerns apply, as the first 2 (employee departure and password compromise) 
would be valid alternative reasons to change the password even with the 
proposed change, and the third (auditors verifying that the password wasn’t 
changed) wouldn’t be necessary.  The auditor would only verify that there was 
no time-based policy requiring a regular change; not whether or not a change 
had been performed.

Tim Shirley
Software Architect
t: +1 412.395.2234

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.trustwave.com%2F=02%7C01%7CMike.Reilly%40microsoft.com%7Cbe4ed645001a46cdd71d08d5ee7d9c51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636677145622294651=z16wfoijuHAaZQPSTYbZfzY84eEgaMix2vyKOm7GgLE%3D=0>

Recognized by industry analysts as a leader in managed security 
services<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.trustwave.com%2FCompany%2FAbout-Us%2FAccolades%2F=02%7C01%7CMike.Reilly%40microsoft.com%7Cbe4ed645001a46cdd71d08d5ee7d9c51%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636677145622304659=I1uhJfBS56wS6ucXdsgKXt9DiCImWJLLNwYlKbh5ahg%3D=0>.


From: Servercert-wg 
mailto:servercert-wg-boun...@cabforum.org>> 
on behalf of "Mike Reilly (GRC) via Servercert-wg" 
mailto:servercert...@cabforum.org>>
Reply-To: "Mike Reilly (GRC)" 
mailto:mike.rei...@microsoft.com>>, CA/B Forum 
Server Certificate WG Public Discussion List 
mailto:servercert...@cabforum.org>>
Date: Friday, July 20, 2018 at 2:35 PM
To: Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>, CABFPub 
mailto:public@cabforum.org>>, Wayne Thayer 
mailto:wtha...@mozilla.com>>
Cc: "servercert...@cabforum.org<mailto:servercert...@cabforum.org>" 
mailto:servercert...@cabforum.org>>
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines


  *   Any wording that requires a password NOT change within a certain period 
of time is problematic as there are numerous exceptions and auditing will be a 
challenge.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-20 Thread Tim Shirley via Public

I don’t think the proposed language has a requirement that the password NOT 
change.  The requirement is that you don’t have a policy REQUIRING it to change 
simply based on its age, unless that time period is >= 2 years.  Changing it 
more frequently than every 2 years in the event of an employee departure or a 
password compromise would be fine, as presumably would be any arbitrary other 
criteria the CA might use (I think I saw a drone flying over our data center..  
better change those passwords!)  So given that, I don’t think the original 3 
concerns apply, as the first 2 (employee departure and password compromise) 
would be valid alternative reasons to change the password even with the 
proposed change, and the third (auditors verifying that the password wasn’t 
changed) wouldn’t be necessary.  The auditor would only verify that there was 
no time-based policy requiring a regular change; not whether or not a change 
had been performed.

Tim Shirley
Software Architect
t: +1 412.395.2234

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

Recognized by industry analysts as a leader in managed security 
services<https://www.trustwave.com/Company/About-Us/Accolades/>.


From: Servercert-wg  on behalf of "Mike 
Reilly (GRC) via Servercert-wg" 
Reply-To: "Mike Reilly (GRC)" , CA/B Forum Server 
Certificate WG Public Discussion List 
Date: Friday, July 20, 2018 at 2:35 PM
To: Tim Hollebeek , CABFPub , 
Wayne Thayer 
Cc: "servercert...@cabforum.org" 
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines


  *   Any wording that requires a password NOT change within a certain period 
of time is problematic as there are numerous exceptions and auditing will be a 
challenge.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-20 Thread Mike Reilly (GRC) via Public

Hi Tim. Sorry for the delayed response.  The concern is not the finite number 
of years but the fact that it would be a requirement vs. a recommendation or 
best practice.  The concern is NOT with a 2 year transition timeline but the 
fixed minimum timeline for life of a password.  The concerns I initially 
brought up are still not directly addressed.  Specifically:


  *   What about when a CA employee leaves who knows the password which 
requires it to be change in less than two years?
  *   What about if the password is compromised and needs to be changed in less 
than two years?
  *   How would auditors verify and prove that a CA did not change a password 
more frequently than two years? This is trying to prove a negative.
  *   Also, what about the use of Just In Time (JIT) admin where all CA access 
is done with a session password that is deleted when the session ends. So we 
literally have passwords that last minutes. Once the session ends the password 
is useless.

In summary:

  *   2 years is probably fine for implementation of whatever password change 
recommendation is put in place but we don’t think it should be a requirement.  
Any prescriptive language around password lifecycles should be avoided.
  *   Any wording that requires a password NOT change within a certain period 
of time is problematic as there are numerous exceptions and auditing will be a 
challenge.

Perhaps language such as this would work:  “Frequent password changes have been 
shown to cause users to select less secure passwords.  For passwords associated 
with CAs, key materials and related systems, it is recommended that the CA set 
password change targets of 2 years or more to reduce the risk of insecure 
passwords being used to control and operate CAs.”  However the use of JIT may 
make this problematic as well.

Thanks, Mike
From: Tim Hollebeek 
Sent: Saturday, July 14, 2018 12:10 AM
To: Mike Reilly (GRC) ; CA/Browser Forum Public 
Discussion List ; Wayne Thayer 
Cc: servercert...@cabforum.org
Subject: RE: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

Mike,

Is there a finite number of years larger than two you could get behind?

-Tim

From: Mike Reilly (GRC) [mailto:mike.rei...@microsoft.com]
Sent: Friday, July 13, 2018 7:39 PM
To: Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>; CA/Browser 
Forum Public Discussion List mailto:public@cabforum.org>>; 
Wayne Thayer mailto:wtha...@mozilla.com>>
Cc: servercert...@cabforum.org<mailto:servercert...@cabforum.org>
Subject: RE: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

Tim and Wayne, I believe making this a requirement will be problematic as I 
commented on with the original ballot (at bottom of thread).  So language would 
need to be as shown below. Thanks, Mike

  iv. Frequent password changes have been shown to cause users to 
select less
   secure passwords.  If the CA has any policy that specifies 
routine periodic password changes,
   that period SHOULD NOT be less than two years.  Effective April 
1, 2020,
   if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT
   be less than two years."

From: Public mailto:public-boun...@cabforum.org>> 
On Behalf Of Tim Hollebeek via Public
Sent: Friday, July 13, 2018 3:49 PM
To: Wayne Thayer mailto:wtha...@mozilla.com>>
Cc: servercert...@cabforum.org<mailto:servercert...@cabforum.org>; CA/Browser 
Forum Public Discussion List mailto:public@cabforum.org>>
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

Works for me.  I’ll update the ballot.

-Tim

From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: Friday, July 13, 2018 12:24 PM
To: Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>
Cc: CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org>>; 
servercert...@cabforum.org<mailto:servercert...@cabforum.org>
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek 
mailto:tim.holleb...@digicert.com>> wrote:
Do you have proposed modifications that would address these questions?  I would 
be happy to incorporate them.


How about this:

  iv. Frequent password changes have been shown to cause users to 
select less
   secure passwords.  If the CA has any policy that specifies 
routine periodic password changes,
   that period SHOULD NOT be less than two years.  Effective April 
1, 2020,
   if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT
   be less than two years."

From: Wayne Thayer [mailto:wtha...@mozilla.com<mailto:wtha...@mozilla.com>]
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek 
mailto:tim.holleb...@

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-14 Thread Ryan Sleevi via Public

As Tim has pointed out, the frequent rotation is actively known to result
in weaker security passwords.

Part of the goal of the CA/Browser Forum is to ensure that Relying Parties
- the billions of users who depend on certificates to be correctly issued -
are protected. The past several years have demonstrated that CA teams' (as
a collective industry, across all members) risk analysis is simply not up
to the necessary standards of trust. Further, it's been shown that without
normative guidance, then what matters is not what the 'best' CA does, but
what the 'worst' CA does.

This is not about the CA/Browser Forum leading the overall security
industry in any way. This is such well-established practice at this point,
that it's a sign of the CA/Browser Forum permitting or encouraging
technological superstition as a way to keep the monsters at bay, rather
than taking concrete steps to improve security.

On Sat, Jul 14, 2018 at 3:10 AM Tim Hollebeek via Servercert-wg <
servercert...@cabforum.org> wrote:

> Mike,
>
>
>
> Is there a finite number of years larger than two you could get behind?
>
>
>
> -Tim
>
>
>
> *From:* Mike Reilly (GRC) [mailto:mike.rei...@microsoft.com]
> *Sent:* Friday, July 13, 2018 7:39 PM
> *To:* Tim Hollebeek ; CA/Browser Forum Public
> Discussion List ; Wayne Thayer 
> *Cc:* servercert...@cabforum.org
> *Subject:* RE: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> Tim and Wayne, I believe making this a requirement will be problematic as
> I commented on with the original ballot (at bottom of thread).  So language
> would need to be as shown below. Thanks, Mike
>
>
>
>   iv. Frequent password changes have been shown to cause users to
> select less
>
>secure passwords.  If the CA has any policy that specifies
> routine periodic password changes,
>
>that period SHOULD NOT be less than two years.  Effective
> April 1, 2020,
>
>if the CA has any policy that requires routine periodic
> password changes, that period SHALL NOT
>
>be less than two years."
>
>
>
> *From:* Public  *On Behalf Of *Tim Hollebeek
> via Public
> *Sent:* Friday, July 13, 2018 3:49 PM
> *To:* Wayne Thayer 
> *Cc:* servercert...@cabforum.org; CA/Browser Forum Public Discussion List
> 
> *Subject:* Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> Works for me.  I’ll update the ballot.
>
>
>
> -Tim
>
>
>
> *From:* Wayne Thayer [mailto:wtha...@mozilla.com ]
> *Sent:* Friday, July 13, 2018 12:24 PM
> *To:* Tim Hollebeek 
> *Cc:* CA/Browser Forum Public Discussion List ;
> servercert...@cabforum.org
> *Subject:* Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek 
> wrote:
>
> Do you have proposed modifications that would address these questions?  I
> would be happy to incorporate them.
>
>
>
>
>
> How about this:
>
>
>
>   iv. Frequent password changes have been shown to cause users to
> select less
>
>secure passwords.  If the CA has any policy that specifies
> routine periodic password changes,
>
>that period SHOULD NOT be less than two years.  Effective
> April 1, 2020,
>
>if the CA has any policy that requires routine periodic
> password changes, that period SHALL NOT
>
>        be less than two years."
>
>
>
> *From:* Wayne Thayer [mailto:wtha...@mozilla.com]
> *Sent:* Thursday, July 12, 2018 7:35 PM
> *To:* Tim Hollebeek ; CA/Browser Forum Public
> Discussion List 
> *Cc:* Adriano Santoni ;
> servercert...@cabforum.org
> *Subject:* Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> How are the concerns that were raised by Microsoft (copied below for
> reference) addressed in this version? If the intent is for the language in
> section 2.g(iv) to only apply to periodic, policy-driven password changes
> and not to prevent event-driven changes, I think that should be clarified.
>
>
>
> * How would auditors verify and prove that a CA did not change a password
> more frequently than two years? This is trying to prove a negative.
> * What about when a CA employee leaves who knows the password which
> requires it to be change in less than two years?
> * What about if the password is compromised and needs to be changed in
> less than two years?
>
>
>
> - Wayne
>
>
>
> ___
> Servercert-wg mailing list
> servercert...@cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-14 Thread Tim Hollebeek via Public

Mike,

 

Is there a finite number of years larger than two you could get behind?

 

-Tim

 

From: Mike Reilly (GRC) [mailto:mike.rei...@microsoft.com] 
Sent: Friday, July 13, 2018 7:39 PM
To: Tim Hollebeek ; CA/Browser Forum Public 
Discussion List ; Wayne Thayer 
Cc: servercert...@cabforum.org
Subject: RE: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

 

Tim and Wayne, I believe making this a requirement will be problematic as I 
commented on with the original ballot (at bottom of thread).  So language would 
need to be as shown below. Thanks, Mike

 

  iv. Frequent password changes have been shown to cause users to 
select less 

   secure passwords.  If the CA has any policy that specifies 
routine periodic password changes, 

   that period SHOULD NOT be less than two years.  Effective April 
1, 2020, 

   if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT 

   be less than two years."

 

From: Public mailto:public-boun...@cabforum.org> 
> On Behalf Of Tim Hollebeek via Public
Sent: Friday, July 13, 2018 3:49 PM
To: Wayne Thayer mailto:wtha...@mozilla.com> >
Cc: servercert...@cabforum.org <mailto:servercert...@cabforum.org> ; CA/Browser 
Forum Public Discussion List mailto:public@cabforum.org> >
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

 

Works for me.  I’ll update the ballot.

 

-Tim

 

From: Wayne Thayer [mailto:wtha...@mozilla.com] 
Sent: Friday, July 13, 2018 12:24 PM
To: Tim Hollebeek mailto:tim.holleb...@digicert.com> >
Cc: CA/Browser Forum Public Discussion List mailto:public@cabforum.org> >; servercert...@cabforum.org 
<mailto:servercert...@cabforum.org> 
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

 

On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek mailto:tim.holleb...@digicert.com> > wrote:

Do you have proposed modifications that would address these questions?  I would 
be happy to incorporate them.

 

 

How about this:

 

  iv. Frequent password changes have been shown to cause users to 
select less 

   secure passwords.  If the CA has any policy that specifies 
routine periodic password changes, 

   that period SHOULD NOT be less than two years.  Effective April 
1, 2020, 

   if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT 

   be less than two years."

 

From: Wayne Thayer [mailto:wtha...@mozilla.com <mailto:wtha...@mozilla.com> ] 
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek mailto:tim.holleb...@digicert.com> >; CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org> >
Cc: Adriano Santoni mailto:adriano.sant...@staff.aruba.it> >; servercert...@cabforum.org 
<mailto:servercert...@cabforum.org> 
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

 

How are the concerns that were raised by Microsoft (copied below for reference) 
addressed in this version? If the intent is for the language in section 2.g(iv) 
to only apply to periodic, policy-driven password changes and not to prevent 
event-driven changes, I think that should be clarified.

 

* How would auditors verify and prove that a CA did not change a password more 
frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which requires it 
to be change in less than two years?
* What about if the password is compromised and needs to be changed in less 
than two years?

 

- Wayne

 



smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-13 Thread Mike Reilly (GRC) via Public

Tim and Wayne, I believe making this a requirement will be problematic as I 
commented on with the original ballot (at bottom of thread).  So language would 
need to be as shown below. Thanks, Mike

  iv. Frequent password changes have been shown to cause users to 
select less
   secure passwords.  If the CA has any policy that specifies 
routine periodic password changes,
   that period SHOULD NOT be less than two years.  Effective April 
1, 2020,
   if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT
   be less than two years."

From: Public  On Behalf Of Tim Hollebeek via Public
Sent: Friday, July 13, 2018 3:49 PM
To: Wayne Thayer 
Cc: servercert...@cabforum.org; CA/Browser Forum Public Discussion List 

Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

Works for me.  I’ll update the ballot.

-Tim

From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: Friday, July 13, 2018 12:24 PM
To: Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>
Cc: CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org>>; 
servercert...@cabforum.org<mailto:servercert...@cabforum.org>
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek 
mailto:tim.holleb...@digicert.com>> wrote:
Do you have proposed modifications that would address these questions?  I would 
be happy to incorporate them.


How about this:

  iv. Frequent password changes have been shown to cause users to 
select less
   secure passwords.  If the CA has any policy that specifies 
routine periodic password changes,
   that period SHOULD NOT be less than two years.  Effective April 
1, 2020,
   if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT
   be less than two years."

From: Wayne Thayer [mailto:wtha...@mozilla.com<mailto:wtha...@mozilla.com>]
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek 
mailto:tim.holleb...@digicert.com>>; CA/Browser 
Forum Public Discussion List mailto:public@cabforum.org>>
Cc: Adriano Santoni 
mailto:adriano.sant...@staff.aruba.it>>; 
servercert...@cabforum.org<mailto:servercert...@cabforum.org>
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

How are the concerns that were raised by Microsoft (copied below for reference) 
addressed in this version? If the intent is for the language in section 2.g(iv) 
to only apply to periodic, policy-driven password changes and not to prevent 
event-driven changes, I think that should be clarified.

* How would auditors verify and prove that a CA did not change a password more 
frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which requires it 
to be change in less than two years?
* What about if the password is compromised and needs to be changed in less 
than two years?

- Wayne

___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-13 Thread Tim Hollebeek via Public

Works for me.  I’ll update the ballot.

 

-Tim

 

From: Wayne Thayer [mailto:wtha...@mozilla.com] 
Sent: Friday, July 13, 2018 12:24 PM
To: Tim Hollebeek 
Cc: CA/Browser Forum Public Discussion List ; 
servercert...@cabforum.org
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

 

On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek mailto:tim.holleb...@digicert.com> > wrote:

Do you have proposed modifications that would address these questions?  I would 
be happy to incorporate them.

 

 

How about this:

 

  iv. Frequent password changes have been shown to cause users to 
select less 

   secure passwords.  If the CA has any policy that specifies 
routine periodic password changes, 

   that period SHOULD NOT be less than two years.  Effective April 
1, 2020, 

   if the CA has any policy that requires routine periodic password 
changes, that period SHALL NOT 

   be less than two years."

 

From: Wayne Thayer [mailto:wtha...@mozilla.com <mailto:wtha...@mozilla.com> ] 
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek mailto:tim.holleb...@digicert.com> >; CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org> >
Cc: Adriano Santoni mailto:adriano.sant...@staff.aruba.it> >; servercert...@cabforum.org 
<mailto:servercert...@cabforum.org> 
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

 

How are the concerns that were raised by Microsoft (copied below for reference) 
addressed in this version? If the intent is for the language in section 2.g(iv) 
to only apply to periodic, policy-driven password changes and not to prevent 
event-driven changes, I think that should be clarified.

 

* How would auditors verify and prove that a CA did not change a password more 
frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which requires it 
to be change in less than two years?
* What about if the password is compromised and needs to be changed in less 
than two years?

 

- Wayne

 



smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-13 Thread Wayne Thayer via Public

On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek 
wrote:

> Do you have proposed modifications that would address these questions?  I
> would be happy to incorporate them.
>
>
>

How about this:

  iv. Frequent password changes have been shown to cause users to
select less

   secure passwords.  If the CA has any policy that specifies
routine periodic password changes,

   that period SHOULD NOT be less than two years.  Effective
April 1, 2020,

   if the CA has any policy that requires routine periodic
password changes, that period SHALL NOT

   be less than two years."

*From:* Wayne Thayer [mailto:wtha...@mozilla.com]
> *Sent:* Thursday, July 12, 2018 7:35 PM
> *To:* Tim Hollebeek ; CA/Browser Forum Public
> Discussion List 
> *Cc:* Adriano Santoni ;
> servercert...@cabforum.org
> *Subject:* Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
> Network Security Guidelines
>
>
>
> How are the concerns that were raised by Microsoft (copied below for
> reference) addressed in this version? If the intent is for the language in
> section 2.g(iv) to only apply to periodic, policy-driven password changes
> and not to prevent event-driven changes, I think that should be clarified.
>
>
>
> * How would auditors verify and prove that a CA did not change a password
> more frequently than two years? This is trying to prove a negative.
> * What about when a CA employee leaves who knows the password which
> requires it to be change in less than two years?
> * What about if the password is compromised and needs to be changed in
> less than two years?
>
>
>
> - Wayne
>
>
>
> <https://cabforum.org/mailman/listinfo/public>
>
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-13 Thread Tim Hollebeek via Public

Nope, not going to happen.  Excessively frequent rotation is a well-known and 
proven cause of weak passwords.

 

There’s a grace period of two years where it’s a SHOULD instead of a MUST so 
people can figure out how to deal with it.

 

I’m actively working with organizations like PCI to get the same changes into 
their standards so there are fewer issues with audits.  I would appreciate help 
from anyone who can.  But 90 day password rotation needs to be a thing of the 
past.

 

-Tim

 

From: Doug Beattie [mailto:doug.beat...@globalsign.com] 
Sent: Friday, July 13, 2018 7:34 AM
To: Wayne Thayer ; CA/B Forum Server Certificate WG Public 
Discussion List ; Tim Hollebeek 
; CA/Browser Forum Public Discussion List 

Subject: RE: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

 

I completely understand the requirement to have a maximum period for password 
use (everyone has one today), but I’m having a hard time with a requirement 
that says you can’t have a policy for changing your password more frequently 
than X.  This could conflict with other audit requirements and local corporate 
policies where rotating passwords is needed.  Personally, I don’t think we 
should have a requirement (MUST statement) regarding the minimum amount of time 
between password changes.

 

I recommend removing this from the ballot:

Effective April 1, 2020, if passwords are required to be changed periodically, 
that period SHALL NOT be less than two years."

Doug

 

From: Servercert-wg mailto:servercert-wg-boun...@cabforum.org> > On Behalf Of Wayne Thayer via 
Servercert-wg
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek mailto:tim.holleb...@digicert.com> >; CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org> >
Cc: servercert...@cabforum.org <mailto:servercert...@cabforum.org> 
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

 

How are the concerns that were raised by Microsoft (copied below for reference) 
addressed in this version? If the intent is for the language in section 2.g(iv) 
to only apply to periodic, policy-driven password changes and not to prevent 
event-driven changes, I think that should be clarified.

 

* How would auditors verify and prove that a CA did not change a password more 
frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which requires it 
to be change in less than two years?
* What about if the password is compromised and needs to be changed in less 
than two years?

 

- Wayne

 

On Thu, Jul 12, 2018 at 8:51 AM Tim Hollebeek via Public mailto:public@cabforum.org> > wrote:

Adding the public list as discussed on the call.

 

-Tim

 

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org 
<mailto:servercert-wg-boun...@cabforum.org> ] On Behalf Of Adriano Santoni via 
Servercert-wg
Sent: Thursday, July 12, 2018 1:53 AM
To: servercert...@cabforum.org <mailto:servercert...@cabforum.org> 
Subject: Re: [Servercert-wg] Ballot SC3: Improvements to Network Security 
Guidelines

 

Let's try again

 

Il 11/07/2018 19:44, Dimitris Zacharopoulos ha scritto:

Are all members who have declared participation to this WG, able to post to 
this list without moderation?


Dimitris.

On 10/7/2018 12:44 πμ, Tim Hollebeek wrote:

TL;DR: Ballot SC3 is exactly the same as Ballot 221, the only changes are to 
include a redline, and to make the requirements around password lifetimes a bit 
easier to read.

 

-Tim

 

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org] On Behalf Of 
Tim Hollebeek
Sent: Monday, July 9, 2018 5:05 PM
To: servercert...@cabforum.org <mailto:servercert...@cabforum.org> 
Subject: [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

 

 

https://github.com/cabforum/documents/compare/SC3-PasswordChangesDieDieDie?expand=1

 

Ballot 221: Two-Factor Authentication and Password Improvements

 

Purpose of Ballot: The Network Security Working Group met a number of times to 

improve the Network Security Guidelines requirements around authentication,

specifically by requiring two-factor authentication, and improving the password 

requirements in line with more recent NIST guidelines.

 

While CAs are encouraged to improve their password requirements as soon as 

possible, a two year grace period is being given to allow organizations to 

develop and implement policies to implement the improved requirements, 
especially

since some organizations may have to simultaneously comply with other

compliance frameworks that have not been updated yet and are based on older 
NIST 

guidance about passwords.

 

The following motion has been proposed by Tim Hollebeek of DigiCert and 
endorsed 

by Dimitris Zacharopoulos of Harica and Neil Dunbar of TrustCor.

 

— MOTION BEGINS –

 

This ballot modifies the “Network and C

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-13 Thread Tim Hollebeek via Public

Do you have proposed modifications that would address these questions?  I would 
be happy to incorporate them.

From: Wayne Thayer [mailto:wtha...@mozilla.com] 
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek ; CA/Browser Forum Public 
Discussion List 
Cc: Adriano Santoni ; servercert...@cabforum.org
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network 
Security Guidelines

How are the concerns that were raised by Microsoft (copied below for reference) 
addressed in this version? If the intent is for the language in section 2.g(iv) 
to only apply to periodic, policy-driven password changes and not to prevent 
event-driven changes, I think that should be clarified.

* How would auditors verify and prove that a CA did not change a password more 
frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which requires it 
to be change in less than two years?
* What about if the password is compromised and needs to be changed in less 
than two years?

- Wayne

On Thu, Jul 12, 2018 at 8:51 AM Tim Hollebeek via Public mailto:public@cabforum.org> > wrote:

Adding the public list as discussed on the call.

-Tim

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org 
<mailto:servercert-wg-boun...@cabforum.org> ] On Behalf Of Adriano Santoni via 
Servercert-wg
Sent: Thursday, July 12, 2018 1:53 AM
To: servercert...@cabforum.org <mailto:servercert...@cabforum.org> 
Subject: Re: [Servercert-wg] Ballot SC3: Improvements to Network Security 
Guidelines

Let's try again

Il 11/07/2018 19:44, Dimitris Zacharopoulos ha scritto:

Are all members who have declared participation to this WG, able to post to 
this list without moderation?

Dimitris.

On 10/7/2018 12:44 πμ, Tim Hollebeek wrote:

TL;DR: Ballot SC3 is exactly the same as Ballot 221, the only changes are to 
include a redline, and to make the requirements around password lifetimes a bit 
easier to read.

-Tim

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org] On Behalf Of 
Tim Hollebeek
Sent: Monday, July 9, 2018 5:05 PM
To: servercert...@cabforum.org <mailto:servercert...@cabforum.org> 
Subject: [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

https://github.com/cabforum/documents/compare/SC3-PasswordChangesDieDieDie?expand=1

Ballot 221: Two-Factor Authentication and Password Improvements

Purpose of Ballot: The Network Security Working Group met a number of times to 

improve the Network Security Guidelines requirements around authentication,

specifically by requiring two-factor authentication, and improving the password 

requirements in line with more recent NIST guidelines.

While CAs are encouraged to improve their password requirements as soon as 

possible, a two year grace period is being given to allow organizations to 

develop and implement policies to implement the improved requirements, 
especially

since some organizations may have to simultaneously comply with other

compliance frameworks that have not been updated yet and are based on older 
NIST 

guidance about passwords.

The following motion has been proposed by Tim Hollebeek of DigiCert and 
endorsed 

by Dimitris Zacharopoulos of Harica and Neil Dunbar of TrustCor.

— MOTION BEGINS –

This ballot modifies the “Network and Certificate System Security Requirements” 

as follows, based upon Version 1.1:

In the definitions, add a definition for Multi-Factor Authentication:

"Multi-Factor Authentication: An authentication mechanism consisting of two or 

more of the following independent categories of credentials (i.e. factors) to 

verify the user’s identity for a login or other transaction: something you know 

(knowledge factor), something you have (possession factor), and something you 

are (inherence factor).  Each factor must be independent.  Certificate-based 

authentication can be used as part of Multifactor Authentication only if the 

private key is stored in a Secure Key Storage Device."

Capitalize all instances of the defined term "Multi-Factor Authentication".

Add a definition for Secure Key Storage Device:

"Secure Key Storage Device: A device certified as meeting at least FIPS 140-2

level 2 overall, level 3 physical, or Common Criteria (EAL 4+)."

In section 1.j., capitalize Multi-Factor Authentication, and strike the 

parenthetical reference to subsection 2.n.(ii).

In section 2.f., add "(for accountability purposes, group accounts or shared

role credentials SHALL NOT be used)" after "authenticate to Certificate 
Systems".

Change section 2.g. to read:

"g. If an authentication control used by a Trusted Role is a username and 
password, 

then, where technically feasible, implement the following controls:

  i.   For accounts that are access

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-13 Thread Doug Beattie via Public

I completely understand the requirement to have a maximum period for password 
use (everyone has one today), but I’m having a hard time with a requirement 
that says you can’t have a policy for changing your password more frequently 
than X.  This could conflict with other audit requirements and local corporate 
policies where rotating passwords is needed.  Personally, I don’t think we 
should have a requirement (MUST statement) regarding the minimum amount of time 
between password changes.

 

I recommend removing this from the ballot:

Effective April 1, 2020, if passwords are required to be changed periodically, 
that period SHALL NOT be less than two years."

Doug

 

From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek ; CA/Browser Forum Public 
Discussion List 
Cc: servercert...@cabforum.org
Subject: Re: [Servercert-wg] [cabfpub] Ballot SC3: Improvements to Network 
Security Guidelines

 

How are the concerns that were raised by Microsoft (copied below for reference) 
addressed in this version? If the intent is for the language in section 2.g(iv) 
to only apply to periodic, policy-driven password changes and not to prevent 
event-driven changes, I think that should be clarified.

 

* How would auditors verify and prove that a CA did not change a password more 
frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which requires it 
to be change in less than two years?
* What about if the password is compromised and needs to be changed in less 
than two years?

 

- Wayne

 

On Thu, Jul 12, 2018 at 8:51 AM Tim Hollebeek via Public mailto:public@cabforum.org> > wrote:

Adding the public list as discussed on the call.

 

-Tim

 

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org 
<mailto:servercert-wg-boun...@cabforum.org> ] On Behalf Of Adriano Santoni via 
Servercert-wg
Sent: Thursday, July 12, 2018 1:53 AM
To: servercert...@cabforum.org <mailto:servercert...@cabforum.org> 
Subject: Re: [Servercert-wg] Ballot SC3: Improvements to Network Security 
Guidelines

 

Let's try again

 

Il 11/07/2018 19:44, Dimitris Zacharopoulos ha scritto:

Are all members who have declared participation to this WG, able to post to 
this list without moderation?


Dimitris.

On 10/7/2018 12:44 πμ, Tim Hollebeek wrote:

TL;DR: Ballot SC3 is exactly the same as Ballot 221, the only changes are to 
include a redline, and to make the requirements around password lifetimes a bit 
easier to read.

 

-Tim

 

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org] On Behalf Of 
Tim Hollebeek
Sent: Monday, July 9, 2018 5:05 PM
To: servercert...@cabforum.org <mailto:servercert...@cabforum.org> 
Subject: [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

 

 

https://github.com/cabforum/documents/compare/SC3-PasswordChangesDieDieDie?expand=1

 

Ballot 221: Two-Factor Authentication and Password Improvements

 

Purpose of Ballot: The Network Security Working Group met a number of times to 

improve the Network Security Guidelines requirements around authentication,

specifically by requiring two-factor authentication, and improving the password 

requirements in line with more recent NIST guidelines.

 

While CAs are encouraged to improve their password requirements as soon as 

possible, a two year grace period is being given to allow organizations to 

develop and implement policies to implement the improved requirements, 
especially

since some organizations may have to simultaneously comply with other

compliance frameworks that have not been updated yet and are based on older 
NIST 

guidance about passwords.

 

The following motion has been proposed by Tim Hollebeek of DigiCert and 
endorsed 

by Dimitris Zacharopoulos of Harica and Neil Dunbar of TrustCor.

 

— MOTION BEGINS –

 

This ballot modifies the “Network and Certificate System Security Requirements” 

as follows, based upon Version 1.1:

 

In the definitions, add a definition for Multi-Factor Authentication:

 

"Multi-Factor Authentication: An authentication mechanism consisting of two or 

more of the following independent categories of credentials (i.e. factors) to 

verify the user’s identity for a login or other transaction: something you know 

(knowledge factor), something you have (possession factor), and something you 

are (inherence factor).  Each factor must be independent.  Certificate-based 

authentication can be used as part of Multifactor Authentication only if the 

private key is stored in a Secure Key Storage Device."

 

Capitalize all instances of the defined term "Multi-Factor Authentication".

 

Add a definition for Secure Key Storage Device:

 

"Secure Key Storage Device: A device certified as meeting at least FIPS 140-2

level 2 overall, level 3 physical, or Common Criteria (

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-12 Thread Wayne Thayer via Public

How are the concerns that were raised by Microsoft (copied below for
reference) addressed in this version? If the intent is for the language in
section 2.g(iv) to only apply to periodic, policy-driven password changes
and not to prevent event-driven changes, I think that should be clarified.

* How would auditors verify and prove that a CA did not change a password
more frequently than two years? This is trying to prove a negative.
* What about when a CA employee leaves who knows the password which
requires it to be change in less than two years?
* What about if the password is compromised and needs to be changed in less
than two years?

- Wayne

On Thu, Jul 12, 2018 at 8:51 AM Tim Hollebeek via Public <
public@cabforum.org> wrote:

> Adding the public list as discussed on the call.
>
>
>
> -Tim
>
>
>
> *From:* Servercert-wg [mailto:servercert-wg-boun...@cabforum.org] *On
> Behalf Of *Adriano Santoni via Servercert-wg
> *Sent:* Thursday, July 12, 2018 1:53 AM
> *To:* servercert...@cabforum.org
> *Subject:* Re: [Servercert-wg] Ballot SC3: Improvements to Network
> Security Guidelines
>
>
>
> Let's try again
>
>
>
> Il 11/07/2018 19:44, Dimitris Zacharopoulos ha scritto:
>
> Are all members who have declared participation to this WG, able to post
> to this list without moderation?
>
>
> Dimitris.
>
> On 10/7/2018 12:44 πμ, Tim Hollebeek wrote:
>
> TL;DR: Ballot SC3 is exactly the same as Ballot 221, the only changes are
> to include a redline, and to make the requirements around password
> lifetimes a bit easier to read.
>
>
>
> -Tim
>
>
>
> *From:* Servercert-wg [mailto:servercert-wg-boun...@cabforum.org
> ] *On Behalf Of *Tim Hollebeek
> *Sent:* Monday, July 9, 2018 5:05 PM
> *To:* servercert...@cabforum.org
> *Subject:* [Servercert-wg] Ballot SC3: Improvements to Network Security
> Guidelines
>
>
>
>
>
>
> https://github.com/cabforum/documents/compare/SC3-PasswordChangesDieDieDie?expand=1
> 
>
>
>
> Ballot 221: Two-Factor Authentication and Password Improvements
>
>
>
> Purpose of Ballot: The Network Security Working Group met a number of
> times to
>
> improve the Network Security Guidelines requirements around authentication,
>
> specifically by requiring two-factor authentication, and improving the
> password
>
> requirements in line with more recent NIST guidelines.
>
>
>
> While CAs are encouraged to improve their password requirements as soon as
>
> possible, a two year grace period is being given to allow organizations to
>
> develop and implement policies to implement the improved requirements,
> especially
>
> since some organizations may have to simultaneously comply with other
>
> compliance frameworks that have not been updated yet and are based on
> older NIST
>
> guidance about passwords.
>
>
>
> The following motion has been proposed by Tim Hollebeek of DigiCert and
> endorsed
>
> by Dimitris Zacharopoulos of Harica and Neil Dunbar of TrustCor.
>
>
>
> — MOTION BEGINS –
>
>
>
> This ballot modifies the “Network and Certificate System Security
> Requirements”
>
> as follows, based upon Version 1.1:
>
>
>
> In the definitions, add a definition for Multi-Factor Authentication:
>
>
>
> "Multi-Factor Authentication: An authentication mechanism consisting of
> two or
>
> more of the following independent categories of credentials (i.e. factors)
> to
>
> verify the user’s identity for a login or other transaction: something you
> know
>
> (knowledge factor), something you have (possession factor), and something
> you
>
> are (inherence factor).  Each factor must be independent.
> Certificate-based
>
> authentication can be used as part of Multifactor Authentication only if
> the
>
> private key is stored in a Secure Key Storage Device."
>
>
>
> Capitalize all instances of the defined term "Multi-Factor Authentication".
>
>
>
> Add a definition for Secure Key Storage Device:
>
>
>
> "Secure Key Storage Device: A device certified as meeting at least FIPS
> 140-2
>
> level 2 overall, level 3 physical, or Common Criteria (EAL 4+)."
>
>
>
> In section 1.j., capitalize Multi-Factor Authentication, and strike the
>
> parenthetical reference to subsection 2.n.(ii).
>
>
>
> In section 2.f., add "(for accountability purposes, group accounts or
> shared
>
> role credentials SHALL NOT be used)" after "authenticate to Certificate
> Systems".
>
>
>
> Change section 2.g. to

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

2018-07-12 Thread Tim Hollebeek via Public

Adding the public list as discussed on the call.

 

-Tim

 

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org] On Behalf Of 
Adriano Santoni via Servercert-wg
Sent: Thursday, July 12, 2018 1:53 AM
To: servercert...@cabforum.org
Subject: Re: [Servercert-wg] Ballot SC3: Improvements to Network Security 
Guidelines

 

Let's try again

 

Il 11/07/2018 19:44, Dimitris Zacharopoulos ha scritto:

Are all members who have declared participation to this WG, able to post to 
this list without moderation?


Dimitris.

On 10/7/2018 12:44 πμ, Tim Hollebeek wrote:

TL;DR: Ballot SC3 is exactly the same as Ballot 221, the only changes are to 
include a redline, and to make the requirements around password lifetimes a bit 
easier to read.

 

-Tim

 

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org] On Behalf Of 
Tim Hollebeek
Sent: Monday, July 9, 2018 5:05 PM
To: servercert...@cabforum.org  
Subject: [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

 

 

https://github.com/cabforum/documents/compare/SC3-PasswordChangesDieDieDie?expand=1

 

Ballot 221: Two-Factor Authentication and Password Improvements

 

Purpose of Ballot: The Network Security Working Group met a number of times to 

improve the Network Security Guidelines requirements around authentication,

specifically by requiring two-factor authentication, and improving the password 

requirements in line with more recent NIST guidelines.

 

While CAs are encouraged to improve their password requirements as soon as 

possible, a two year grace period is being given to allow organizations to 

develop and implement policies to implement the improved requirements, 
especially

since some organizations may have to simultaneously comply with other

compliance frameworks that have not been updated yet and are based on older 
NIST 

guidance about passwords.

 

The following motion has been proposed by Tim Hollebeek of DigiCert and 
endorsed 

by Dimitris Zacharopoulos of Harica and Neil Dunbar of TrustCor.

 

— MOTION BEGINS –

 

This ballot modifies the “Network and Certificate System Security Requirements” 

as follows, based upon Version 1.1:

 

In the definitions, add a definition for Multi-Factor Authentication:

 

"Multi-Factor Authentication: An authentication mechanism consisting of two or 

more of the following independent categories of credentials (i.e. factors) to 

verify the user’s identity for a login or other transaction: something you know 

(knowledge factor), something you have (possession factor), and something you 

are (inherence factor).  Each factor must be independent.  Certificate-based 

authentication can be used as part of Multifactor Authentication only if the 

private key is stored in a Secure Key Storage Device."

 

Capitalize all instances of the defined term "Multi-Factor Authentication".

 

Add a definition for Secure Key Storage Device:

 

"Secure Key Storage Device: A device certified as meeting at least FIPS 140-2

level 2 overall, level 3 physical, or Common Criteria (EAL 4+)."

 

In section 1.j., capitalize Multi-Factor Authentication, and strike the 

parenthetical reference to subsection 2.n.(ii).

 

In section 2.f., add "(for accountability purposes, group accounts or shared

role credentials SHALL NOT be used)" after "authenticate to Certificate 
Systems".

 

Change section 2.g. to read:

 

"g. If an authentication control used by a Trusted Role is a username and 
password, 

then, where technically feasible, implement the following controls:

  i.   For accounts that are accessible only within Secure Zones or 
High Security 

   Zones, require that passwords have at least twelve (12) 
characters; 

  ii.  For authentications which cross a zone boundary into a Secure 
Zone or High 

   Security Zone, require Multi-Factor Authentication.  For 
accounts accessible 

   from outside a Secure Zone or High Security Zone require 
passwords that have 

   at least eight (8) characters and are not be one of the user's 
previous 

   four (4) passwords; and implement account lockout for failed 
access attempts 

   in accordance with subsection k;

  iii.When developing password policies, CAs SHOULD take into account 
the password 

   guidance in NIST 800-63B Appendix A.

  iv. Frequent password changes have been shown to cause users to 
select less 

   secure passwords.  If passwords are required to be changed 
periodically, 

   that period SHOULD NOT be less than two years.  Effective April 
1, 2020, 

   if passwords are required to be changed periodically, that 
period SHALL NOT 

   be less than two years."

 

In section 2.h., change "Require" to "Have a policy that requires"

 

In section 2.i., change "Configure" to "Have a procedure to configure"

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to Network Security Guidelines

16 matches

Site Navigation

Mail list logo

Footer information