[cabf_netsec] Passwords

Tim Hollebeek tim.hollebeek at digicert.com
Wed Feb 28 11:45:44 MST 2018

The NSG requirements as they exist today ALREADY require that the password policy complies with all of NIST 800-63!!!  That’s one of the things we’re trying to fix.  So a SHOULD pointing to NIST 800-63B Appendix A isn’t adding anything, it’s just restoring a teeny portion of what we agreed on the calls to delete.  It is intended to inform the reader about why all of the crazy, prescriptive rules other than length were removed.  I’d suggest reading Appendix A for context.


Basically, the document I posted is the password-relevant parts of what we already discussed on the calls, with only two changes intended to restore a suggestion to read Appendix A, which is informative anyway, and explicit guidance that overly frequent password rotation is bad.  I don’t want people to be able to continue using 90 days as it has been shown to result in weaker passwords, not stronger ones.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180228/d4de9112/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20180228/d4de9112/attachment-0001.p7s>

More information about the Netsec mailing list