[cabfpub] Ballot 221 v3: Two-Factor Authentication and Password Improvements

Ryan Sleevi sleevi at google.com
Thu May 17 21:18:12 UTC 2018


The doc you just cited is based on the BRs and Network Security
requirements, so yes, as the BR and Network Security requirements change,
we generally see WebTrust change ;)

On Thu, May 17, 2018 at 5:05 PM, Patrick Tronnier via Public <
public at cabforum.org> wrote:

> Thanks Eric.
>
>
>
> I would also like to point out that WEBTRUST PRINCIPLES AND
> CRITERIA FOR CERTIFICATION AUTHORITIES –SSLBASELINE WITH NETWORK SECURITY
> Version 2.3, which was updated in February 2018, (http://www.webtrust.org/
> principles-and-criteria/docs/item85437.PDF) requires passwords to be
> changed every 3 months.  Hopefully webTrust will adjust to the NIST
> guidelines also.
>
>
>
>
>
>
>
> Thanks
>
>
>
> With kind regards,
>
>
>
> Patrick Tronnier
>
> Principal Security Architect &
>
> Sr. Director of Quality Assurance & Customer Support
>
> Phone: 763.201.2000
>
> Direct Line: 763.201.2052
>
> Open Access Technology International, Inc.
>
> 3660 Technology Drive NE, Minneapolis, MN
>
>
>
> CONFIDENTIAL INFORMATION: This email and any attachment(s) contain
> confidential and/or proprietary information of Open Access Technology
> International, Inc. Do not copy or distribute without the prior written
> consent of OATI. If you are not a named recipient to the message, please
> notify the sender immediately and do not retain the message in any form,
> printed or electronic.
>
>
>
> *From:* Eric Mill [mailto:eric.mill at gsa.gov]
> *Sent:* Thursday, May 17, 2018 10:43 AM
> *To:* Geoff Keating <geoffk at apple.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Cc:* Patrick Tronnier <Patrick.Tronnier at oati.net>
> *Subject:* Re: [cabfpub] Ballot 221 v3: Two-Factor Authentication and
> Password Improvements
>
>
>
> *{External email message: This email is from an external source. Please
> exercise caution prior to opening attachments, clicking on links, or
> providing any sensitive information.}*
>
> FedRAMP has published guidance about the new NIST password/identity
> guidelines:
>
> https://www.fedramp.gov/assets/resources/documents/CSP_Digital_Identity_
> Requirements.pdf
>
>
>
> They note that the formal baseline is still not updated, but encourage
> folks to follow NIST's new guidance regardless:
>
>
>
> NOTE: At the time of this document’s publication, FedRAMP Moderate and
> High controls IA-5 (g)
>
> and IA-5 (1) (a,d) are known to be more restrictive than the new password
> requirements in 800-
>
> 63B, AAL2 and AAL3 respectively. FedRAMP recommends Agency AOs accept
> compliance with
>
> NIST’s guidance that is most up-to-date and consistent with current cyber
> security threats. This
>
> may be done using an implementation status of “Alternative Implementation.”
>
>
>
> I also confirmed with the FedRAMP program that the baseline is expected to
> be updated to match NIST's SP 800-63, and thus avoid the need for any
> special acceptance. But the point is that FedRAMP is not an obstacle to
> dropping password rotation -- they are expecting service providers to
> follow NIST's guidance and drop it.
>
>
>
> -- Eric
>
>
>
> On Tue, May 15, 2018 at 6:48 PM, Geoff Keating via Public <
> public at cabforum.org> wrote:
>
>
>
> > On May 15, 2018, at 8:37 AM, Patrick Tronnier via Public <
> public at cabforum.org> wrote:
> >
> > I want to make it clear that OATI agrees with the minimum 2 year
> password period as the more secure route. It is FedRAMP and other standards
> which don’t. J
>
> I've been looking at FedRAMP, because I was surprised they'd be putting
> out guidelines that conflict with NIST guidelines, and I can't find this
> requirement; for the 'high security controls' (https://www.fedramp.gov/
> assets/resources/documents/FedRAMP_High_Security_Controls.xlsx), it does
> require you have a minimum and maximum password lifetime in IA-05(1)(d),
> but it says the actual limits are organization-defined, so you can ask the
> organization to set the maximum lifetime to, say, 3 years.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
>
>
> --
>
> Eric Mill
>
> Senior Advisor, Technology Transformation Services
>
> Federal Acquisition Service, GSA
>
> eric.mill at gsa.gov, +1-617-314-0966
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180517/1c592d2a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16821 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180517/1c592d2a/attachment-0003.png>


More information about the Public mailing list