[cabf_netsec] Passwords

Tim Hollebeek tim.hollebeek at digicert.com
Wed Feb 28 12:17:17 MST 2018

Yup, and we kept the important normative requirement (length), and added a new, strong requirement (MFA), so hopefully people will recognize that this is significantly better, even if it is simpler and has fewer requirements.


We can deal with the stupid when we run into it.  I think after some discussion, people will get it.




From: Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr] 
Sent: Wednesday, February 28, 2018 12:13 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Network Security WG List <netsec at cabforum.org>
Subject: Re: [cabf_netsec] Passwords


On 28/2/2018 8:45 μμ, Tim Hollebeek wrote:

The NSG requirements as they exist today ALREADY require that the password policy complies with all of NIST 800-63!!!  That’s one of the things we’re trying to fix.  So a SHOULD pointing to NIST 800-63B Appendix A isn’t adding anything, it’s just restoring a teeny portion of what we agreed on the calls to delete.  It is intended to inform the reader about why all of the crazy, prescriptive rules other than length were removed.  I’d suggest reading Appendix A for context.


Basically, the document I posted is the password-relevant parts of what we already discussed on the calls, with only two changes intended to restore a suggestion to read Appendix A, which is informative anyway, and explicit guidance that overly frequent password rotation is bad.  I don’t want people to be able to continue using 90 days as it has been shown to result in weaker passwords, not stronger ones.




No objections from me. I am concerned that other people will be skeptical about removing normative requirements (like the 90-day change) with informative ones. I suppose the NIST document justifies the proposed change adequately.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180228/2cc92ee3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20180228/2cc92ee3/attachment-0001.p7s>

More information about the Netsec mailing list