[cabfpub] Ballot 221 v3: Two-Factor Authentication and Password Improvements
Geoff Keating
geoffk at apple.com
Tue May 15 22:48:55 UTC 2018
> On May 15, 2018, at 8:37 AM, Patrick Tronnier via Public <public at cabforum.org> wrote:
>
> I want to make it clear that OATI agrees with the minimum 2 year password period as the more secure route. It is FedRAMP and other standards which don’t. J
I've been looking at FedRAMP, because I was surprised they'd be putting out guidelines that conflict with NIST guidelines, and I can't find this requirement; for the 'high security controls' (https://www.fedramp.gov/assets/resources/documents/FedRAMP_High_Security_Controls.xlsx), it does require you have a minimum and maximum password lifetime in IA-05(1)(d), but it says the actual limits are organization-defined, so you can ask the organization to set the maximum lifetime to, say, 3 years.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180515/7b3413e4/attachment-0003.p7s>
More information about the Public
mailing list