Tim and Wayne, I believe making this a requirement will be problematic as I
commented on with the original ballot (at bottom of thread). So language would
need to be as shown below. Thanks, Mike
iv. Frequent password changes have been shown to cause users to
select less
Works for me. I’ll update the ballot.
-Tim
From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: Friday, July 13, 2018 12:24 PM
To: Tim Hollebeek
Cc: CA/Browser Forum Public Discussion List ;
servercert...@cabforum.org
Subject: Re: [cabfpub] [Servercert-wg] Ballot SC3: Improvements to
On Fri, Jul 13, 2018 at 4:50 AM Tim Hollebeek
wrote:
> Do you have proposed modifications that would address these questions? I
> would be happy to incorporate them.
>
>
>
How about this:
iv. Frequent password changes have been shown to cause users to
select less
Even the really, really bad CAs? That’s an awful lot of faith to put in those
security teams!
-Tim
From: Bruce Morton [mailto:bruce.mor...@entrustdatacard.com]
Sent: Friday, July 13, 2018 10:25 AM
To: Tim Hollebeek ; Doug Beattie
; CA/Browser Forum Public Discussion List
; Wayne
I don’t need 2 years to implement. I just don’t think that we need to push this
requirement to the ecosystem. I think that the CA’s security teams can manage
this risk independently.
Bruce.
From: Tim Hollebeek [mailto:tim.holleb...@digicert.com]
Sent: July 13, 2018 10:22 AM
To: Bruce
How much longer than two years do you two guys need to implement better
password policies? Give me a reasonable number and I’ll put it in. I talked
several other large companies already who though two years was a reasonable
enough amount of time, which is why it is two. But I’m not married
I agree with Doug’s position.
Bruce.
From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Doug Beattie via
Public
Sent: July 13, 2018 7:34 AM
To: Wayne Thayer ; CA/B Forum Server Certificate WG Public
Discussion List ; Tim Hollebeek
; CA/Browser Forum Public Discussion List
Also, in response to "any good estimates", just so relying parties have more
public information on this important issue, I can mention that Method 1 is
(in our case, was) absurdly common; far more common than most people think.
The rest is pretty evenly scattered across the methods you would
Nope, not going to happen. Excessively frequent rotation is a well-known and
proven cause of weak passwords.
There’s a grace period of two years where it’s a SHOULD instead of a MUST so
people can figure out how to deal with it.
I’m actively working with organizations like PCI to get
Do you have proposed modifications that would address these questions? I would
be happy to incorporate them.
From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: Thursday, July 12, 2018 7:35 PM
To: Tim Hollebeek ; CA/Browser Forum Public
Discussion List
Cc: Adriano Santoni ;
We're seriously considering implementing this proposal well in advance of
whatever deadline is set.
We think transparency in this area is important for some of the exact same
reasons Paul describes.
-Tim
> -Original Message-
> From: Public [mailto:public-boun...@cabforum.org] On Behalf
I completely understand the requirement to have a maximum period for password
use (everyone has one today), but I’m having a hard time with a requirement
that says you can’t have a policy for changing your password more frequently
than X. This could conflict with other audit requirements and
12 matches
Mail list logo
