[cabf_netsec] [EXTERNAL]Re: Offline Roots

Peter Bowen pzb at amzn.com
Sat Jul 8 08:40:35 MST 2017

> On Jul 7, 2017, at 2:26 AM, Dimitris Zacharopoulos <jimmy at it.auth.gr> wrote:
> On 6/7/2017 7:36 μμ, Peter Bowen via Netsec wrote:
>> What about changing 2(m) to “multi-factor or multi-party authentication”?  This would allow offline systems to use HSM controls to meet the requirement.
> "Multi-factor" authentication is currently not defined in the document (it would be nice to add it). Usually, the different factors are "something you know", "something you have", "something you are" so you need a combination of these to achieve "multi-factor". Adding "multi-party" authentication makes sense but we would probably need to also define it.

I would prefer to hold off of any major work here, including adding definitions, and instead have us consider adopting NIST 800-63B language as a future revision.  https://pages.nist.gov/800-63-3/sp800-63b.html <https://pages.nist.gov/800-63-3/sp800-63b.html> has very clear definitions and also provides the concept of “Authenticator Assurance Levels” which abstract specific technologies into allowed combinations.  

I was hoping adding “or multi-party” would be a simple change as “multi-party” is already used in WebTrust for CAs and ISO 21188 illustrative controls.  I’m happy to use a different term.

> So, to better understand the suggestion, for 2(m) we would need either "multi-factor authentication by a single person" OR "single-factor authentication by multiple persons". Is that right?

Yes, that was my intention.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170708/a67c458a/attachment.html>

More information about the Netsec mailing list