[cabfpub] Ballot 221 v3: Two-Factor Authentication and Password Improvements

Geoff Keating geoffk at apple.com
Tue May 15 15:48:55 MST 2018

> On May 15, 2018, at 8:37 AM, Patrick Tronnier via Public <public at cabforum.org> wrote:
> I want to make it clear that OATI agrees with the minimum 2 year password period as the more secure route. It is FedRAMP and other standards which don’t. J

I've been looking at FedRAMP, because I was surprised they'd be putting out guidelines that conflict with NIST guidelines, and I can't find this requirement; for the 'high security controls' (https://www.fedramp.gov/assets/resources/documents/FedRAMP_High_Security_Controls.xlsx), it does require you have a minimum and maximum password lifetime in IA-05(1)(d), but it says the actual limits are organization-defined, so you can ask the organization to set the maximum lifetime to, say, 3 years.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180515/7b3413e4/attachment.p7s>

More information about the Public mailing list