[cabfpub] Ballot 221 v3: Two-Factor Authentication and Password Improvements

Tim Hollebeek tim.hollebeek at digicert.com
Thu May 17 14:44:59 MST 2018 

Yup, and if we could get an expedited change on this one after the ballot passes and comes into force, that would be great 😊

 

-Tim

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Thursday, May 17, 2018 5:18 PM
To: Patrick Tronnier <Patrick.Tronnier at oati.net>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 221 v3: Two-Factor Authentication and Password Improvements

 

The doc you just cited is based on the BRs and Network Security requirements, so yes, as the BR and Network Security requirements change, we generally see WebTrust change ;)

 

On Thu, May 17, 2018 at 5:05 PM, Patrick Tronnier via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

Thanks Eric.

 

I would also like to point out that WEBTRUST PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES –SSLBASELINE WITH NETWORK SECURITY Version 2.3, which was updated in February 2018, (http://www.webtrust.org/principles-and-criteria/docs/item85437.PDF) requires passwords to be changed every 3 months.  Hopefully webTrust will adjust to the NIST guidelines also. 

 



 

 

Thanks

 

With kind regards,

 

Patrick Tronnier

Principal Security Architect &

Sr. Director of Quality Assurance & Customer Support

Phone: 763.201.2000 

Direct Line: 763.201.2052

Open Access Technology International, Inc. 

3660 Technology Drive NE, Minneapolis, MN 

 

CONFIDENTIAL INFORMATION: This email and any attachment(s) contain confidential and/or proprietary information of Open Access Technology International, Inc. Do not copy or distribute without the prior written consent of OATI. If you are not a named recipient to the message, please notify the sender immediately and do not retain the message in any form, printed or electronic.

 

From: Eric Mill [mailto:eric.mill at gsa.gov <mailto:eric.mill at gsa.gov> ] 
Sent: Thursday, May 17, 2018 10:43 AM
To: Geoff Keating <geoffk at apple.com <mailto:geoffk at apple.com> >; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Cc: Patrick Tronnier <Patrick.Tronnier at oati.net <mailto:Patrick.Tronnier at oati.net> >
Subject: Re: [cabfpub] Ballot 221 v3: Two-Factor Authentication and Password Improvements

 

{External email message: This email is from an external source. Please exercise caution prior to opening attachments, clicking on links, or providing any sensitive information.}

FedRAMP has published guidance about the new NIST password/identity guidelines:

https://www.fedramp.gov/assets/resources/documents/CSP_Digital_Identity_Requirements.pdf

 

They note that the formal baseline is still not updated, but encourage folks to follow NIST's new guidance regardless:

 

NOTE: At the time of this document’s publication, FedRAMP Moderate and High controls IA-5 (g)

and IA-5 (1) (a,d) are known to be more restrictive than the new password requirements in 800-

63B, AAL2 and AAL3 respectively. FedRAMP recommends Agency AOs accept compliance with

NIST’s guidance that is most up-to-date and consistent with current cyber security threats. This

may be done using an implementation status of “Alternative Implementation.”

 

I also confirmed with the FedRAMP program that the baseline is expected to be updated to match NIST's SP 800-63, and thus avoid the need for any special acceptance. But the point is that FedRAMP is not an obstacle to dropping password rotation -- they are expecting service providers to follow NIST's guidance and drop it.

 

-- Eric

 

On Tue, May 15, 2018 at 6:48 PM, Geoff Keating via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:



> On May 15, 2018, at 8:37 AM, Patrick Tronnier via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:
> 
> I want to make it clear that OATI agrees with the minimum 2 year password period as the more secure route. It is FedRAMP and other standards which don’t. J

I've been looking at FedRAMP, because I was surprised they'd be putting out guidelines that conflict with NIST guidelines, and I can't find this requirement; for the 'high security controls' (https://www.fedramp.gov/assets/resources/documents/FedRAMP_High_Security_Controls.xlsx), it does require you have a minimum and maximum password lifetime in IA-05(1)(d), but it says the actual limits are organization-defined, so you can ask the organization to set the maximum lifetime to, say, 3 years.

_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public





 

-- 

Eric Mill

Senior Advisor, Technology Transformation Services

Federal Acquisition Service, GSA

eric.mill at gsa.gov <mailto:eric.mill at gsa.gov> , +1-617-314-0966


_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180517/033f030a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16821 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180517/033f030a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180517/033f030a/attachment-0001.p7s>

More information about the Public mailing list