[cabf_netsec] Passwords

Dimitris Zacharopoulos jimmy at it.auth.gr
Tue Mar 6 15:26:28 MST 2018

On 28/2/2018 8:35 μμ, Dimitris Zacharopoulos via Netsec wrote:
> On 27/2/2018 11:57 μμ, Tim Hollebeek via Netsec wrote:
>> As stated on the previous call, I probably will not be able to attend 
>> this week’s call, as I am at another standards meeting.
>> However, attached please find a version of our latest draft that only 
>> has the MFA/password changes. Please double-check it and comment on 
>> what additional work (if any) is necessary before it gets turned into 
>> a ballot.
>> I did add an item that we haven’t discussed previously: recommending 
>> that password policies follow the guidance of NIST 800-63B Appendix A 
>> (mostly intended to guide people away from misguided complexity 
>> requirements), and a requirement that password replacement policies 
>> be at least two years, to prevent people from doing stupid things 
>> because of overly frequent rotations.
>> -Tim
>> _______________________________________________
>> Netsec mailing list
>> Netsec at cabforum.org
>> http://cabforum.org/mailman/listinfo/netsec
> Hi Tim,
> I think this NIST 800-63B requirement will trigger a long discussion. 
> As discussed on previous calls, we should try to bring ballots in 
> waves, including the NIST password requirement.
> I tried to analyze the current draft that includes several changes. 
> Here are my draft notes:
>       NetSec WG Ballot waves
>         Wave 1 (Definitions)
> (Re-)Define Account, HSPZ, Air-gapped Zone, Certificate Issuing 
> Systems, Issuer CA System, Multifactor Authentication, Offline State, 
> Root CA System, Secure Key Storage Device, Secure Zone

After some discussion with Ben and Neil at the F2F, here is our proposal:

Wave 1 should take care of the non-controversial definitions. We will 
address the more controversial definitions in the future.

>         Wave 2 (force MFA for Trusted Roles connected from outside a
>         SZ or HSPZ)
> 2.g when the authentication is with a username/password, maintain the 
> 12-character rule when the connection is from within the SZ or HSPZ 
> but enforce MFA and require password complexity but not require 
> changing the password every 3 months. Also, keep the lockout requirement.
> 2.n enforce MFA on all Trusted Roles for Certificate Systems 
> accessible from outside a SZ or HSPZ
> Clarify that Certificate-based authentication can be considered MFA 
> when the private key is stored in a Secure Key Storage (at least FIPS 
> 140-2 L2 Certified) Device.
>         Wave 3 (do not use "group accounts" for Trusted Role
>         operations and language improvements)
> Strengthen the 2.f existing rule that requires "unique credential" per 
> Trusted Role
> Improve language for
> - a policy that requires individuals in Trusted Role to logout or lock 
> workstations when no longer in use
> - the inactivity time-outs
> - the lockout requirement

Tim's proposed ballot takes care of "Waves 2 and 3" and should follow 
Wave 1 (definitions).

>         Wave 4 (log integrity and monitoring that logging is operational)
> 3.e Improve language to assure log integrity and monitor proper 
> logging operations

Then, Wave 4 is renamed practically to "Wave 3".


>         Wave 5 (password policy, adoption of NIST 800-63b (Appendix A)
>         recommendations)
> Update 2.g.iii
> Thoughts?
> Dimitris.
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180307/8880836e/attachment.html>

More information about the Netsec mailing list