Yup, and if we could get an expedited change on this one after the ballot passes and comes into force, that would be great š
-Tim From: Public [mailto:[email protected]] On Behalf Of Ryan Sleevi via Public Sent: Thursday, May 17, 2018 5:18 PM To: Patrick Tronnier <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Ballot 221 v3: Two-Factor Authentication and Password Improvements The doc you just cited is based on the BRs and Network Security requirements, so yes, as the BR and Network Security requirements change, we generally see WebTrust change ;) On Thu, May 17, 2018 at 5:05 PM, Patrick Tronnier via Public <[email protected] <mailto:[email protected]> > wrote: Thanks Eric. I would also like to point out that WEBTRUST PRINCIPLES AND CRITERIA FOR CERTIFICATION AUTHORITIES āSSLBASELINE WITH NETWORK SECURITY Version 2.3, which was updated in February 2018, (http://www.webtrust.org/principles-and-criteria/docs/item85437.PDF) requires passwords to be changed every 3 months. Hopefully webTrust will adjust to the NIST guidelines also. Thanks With kind regards, Patrick Tronnier Principal Security Architect & Sr. Director of Quality Assurance & Customer Support Phone: 763.201.2000 Direct Line: 763.201.2052 Open Access Technology International, Inc. 3660 Technology Drive NE, Minneapolis, MN CONFIDENTIAL INFORMATION: This email and any attachment(s) contain confidential and/or proprietary information of Open Access Technology International, Inc. Do not copy or distribute without the prior written consent of OATI. If you are not a named recipient to the message, please notify the sender immediately and do not retain the message in any form, printed or electronic. From: Eric Mill [mailto:[email protected] <mailto:[email protected]> ] Sent: Thursday, May 17, 2018 10:43 AM To: Geoff Keating <[email protected] <mailto:[email protected]> >; CA/Browser Forum Public Discussion List <[email protected] <mailto:[email protected]> > Cc: Patrick Tronnier <[email protected] <mailto:[email protected]> > Subject: Re: [cabfpub] Ballot 221 v3: Two-Factor Authentication and Password Improvements {External email message: This email is from an external source. Please exercise caution prior to opening attachments, clicking on links, or providing any sensitive information.} FedRAMP has published guidance about the new NIST password/identity guidelines: https://www.fedramp.gov/assets/resources/documents/CSP_Digital_Identity_Requirements.pdf They note that the formal baseline is still not updated, but encourage folks to follow NIST's new guidance regardless: NOTE: At the time of this documentās publication, FedRAMP Moderate and High controls IA-5 (g) and IA-5 (1) (a,d) are known to be more restrictive than the new password requirements in 800- 63B, AAL2 and AAL3 respectively. FedRAMP recommends Agency AOs accept compliance with NISTās guidance that is most up-to-date and consistent with current cyber security threats. This may be done using an implementation status of āAlternative Implementation.ā I also confirmed with the FedRAMP program that the baseline is expected to be updated to match NIST's SP 800-63, and thus avoid the need for any special acceptance. But the point is that FedRAMP is not an obstacle to dropping password rotation -- they are expecting service providers to follow NIST's guidance and drop it. -- Eric On Tue, May 15, 2018 at 6:48 PM, Geoff Keating via Public <[email protected] <mailto:[email protected]> > wrote: > On May 15, 2018, at 8:37 AM, Patrick Tronnier via Public <[email protected] > <mailto:[email protected]> > wrote: > > I want to make it clear that OATI agrees with the minimum 2 year password > period as the more secure route. It is FedRAMP and other standards which > donāt. J I've been looking at FedRAMP, because I was surprised they'd be putting out guidelines that conflict with NIST guidelines, and I can't find this requirement; for the 'high security controls' (https://www.fedramp.gov/assets/resources/documents/FedRAMP_High_Security_Controls.xlsx), it does require you have a minimum and maximum password lifetime in IA-05(1)(d), but it says the actual limits are organization-defined, so you can ask the organization to set the maximum lifetime to, say, 3 years. _______________________________________________ Public mailing list [email protected] <mailto:[email protected]> https://cabforum.org/mailman/listinfo/public -- Eric Mill Senior Advisor, Technology Transformation Services Federal Acquisition Service, GSA [email protected] <mailto:[email protected]> , +1-617-314-0966 _______________________________________________ Public mailing list [email protected] <mailto:[email protected]> https://cabforum.org/mailman/listinfo/public
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
