[cabf_netsec] NCSSR Section 2.g.ii

Neil Dunbar ndunbar at trustcorsystems.com
Tue Mar 24 08:05:25 MST 2020

I don't read them as being contradictory.

The first sentence is simply saying that _if_ you are coming into a 
secure zone from a less-than-secure zone, multiple authentication 
factors are mandatory. Those factors may, or may not, include a password 
authentication. An example which might not: SSH into a high security 
zone, with the private key on a FIPS-140-2 device, and public key 
authentication selected, which then prompts for a One-Time-Password from 
the user to complete the login.

The second sentence is saying that _if_ such accounts _could_ be used 
from the outside (even if, in practice, they are not so used), _and_ 
they rely on a password, then the password regime must involve password 
complexity, retain history, employ a lockout function and so on. Thus, 
were my workstation in a secure zone, and I desired to log into an 
account which was in the same secure zone, I could do so with a single 
factor (password authentication), so long as the password regime was as 

So I think they are complementary. That said, I think the text could be 
made a little clearer, if my understanding is indeed correct. On a point 
of principle, account lockout is something that I've always felt uneasy 
about, since it's so easy to use as an availability attack vector.



On 23/03/2020 20:14, Ben Wilson via Netsec wrote:
> Aren't the two sentences in 2.g.ii. contradictory?  The first sentence 
> says that MFA is required for Secure Zone / High Security Zone, and 
> the second sentence says that passwords must be at least 8 characters, 
> etc.
> See
> https://cabforum.org/2018/08/16/ballot-sc3-two-factor-authentication-and-password-improvements/ 
>     ii. For authentications which cross a zone boundary into a Secure 
> Zone or High Security Zone, require Multi-Factor Authentication. For 
> accounts accessible from outside a Secure Zone or High Security Zone 
> require passwords that have at least eight (8) characters and are not 
> be one of the user's previous four (4) passwords; and implement 
> account lockout for failed access attempts in accordance with 
> subsection k;
> Could it be reworded as follows?
> ii.   For authentications from outside the CA's network, require 
> Multi-Factor Authentication and implement account lockout for failed 
> access attempts in accordance with subsection k;
> Ben
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20200324/f38d779c/attachment.html>

More information about the Netsec mailing list