[cabf_netsec] Passwords

Dimitris Zacharopoulos jimmy at it.auth.gr
Wed Feb 28 11:35:12 MST 2018

On 27/2/2018 11:57 μμ, Tim Hollebeek via Netsec wrote:
> As stated on the previous call, I probably will not be able to attend 
> this week’s call, as I am at another standards meeting.
> However, attached please find a version of our latest draft that only 
> has the MFA/password changes. Please double-check it and comment on 
> what additional work (if any) is necessary before it gets turned into 
> a ballot.
> I did add an item that we haven’t discussed previously: recommending 
> that password policies follow the guidance of NIST 800-63B Appendix A 
> (mostly intended to guide people away from misguided complexity 
> requirements), and a requirement that password replacement policies be 
> at least two years, to prevent people from doing stupid things because 
> of overly frequent rotations.
> -Tim
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec

Hi Tim,

I think this NIST 800-63B requirement will trigger a long discussion. As 
discussed on previous calls, we should try to bring ballots in waves, 
including the NIST password requirement.

I tried to analyze the current draft that includes several changes. Here 
are my draft notes:

      NetSec WG Ballot waves

        Wave 1 (Definitions)

(Re-)Define Account, HSPZ, Air-gapped Zone, Certificate Issuing Systems, 
Issuer CA System, Multifactor Authentication, Offline State, Root CA 
System, Secure Key Storage Device, Secure Zone

        Wave 2 (force MFA for Trusted Roles connected from outside a SZ
        or HSPZ)

2.g when the authentication is with a username/password, maintain the 
12-character rule when the connection is from within the SZ or HSPZ but 
enforce MFA and require password complexity but not require changing the 
password every 3 months. Also, keep the lockout requirement.

2.n enforce MFA on all Trusted Roles for Certificate Systems accessible 
from outside a SZ or HSPZ

Clarify that Certificate-based authentication can be considered MFA when 
the private key is stored in a Secure Key Storage (at least FIPS 140-2 
L2 Certified) Device.

        Wave 3 (do not use "group accounts" for Trusted Role operations
        and language improvements)

Strengthen the 2.f existing rule that requires "unique credential" per 
Trusted Role

Improve language for
- a policy that requires individuals in Trusted Role to logout or lock 
workstations when no longer in use
- the inactivity time-outs
- the lockout requirement

        Wave 4 (log integrity and monitoring that logging is operational)

3.e Improve language to assure log integrity and monitor proper logging 

        Wave 5 (password policy, adoption of NIST 800-63b (Appendix A)

Update 2.g.iii



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180228/3f27f677/attachment.html>

More information about the Netsec mailing list