Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review NSR Ballot SC03 - Two Factor Authentication and Password Improvements #554

Closed
4 tasks done
weirdscience opened this issue Nov 7, 2018 · 4 comments · Fixed by #581
Closed
4 tasks done

Review NSR Ballot SC03 - Two Factor Authentication and Password Improvements #554

weirdscience opened this issue Nov 7, 2018 · 4 comments · Fixed by #581
Labels
Ready for Close Section 5 Section 6

Comments

@weirdscience
Copy link
Contributor

weirdscience commented Nov 7, 2018
edited
Loading

SC3 Ballot: https://cabforum.org/2018/08/16/ballot-sc3-two-factor-authentication-and-password-improvements/

SC3 Github: cabforum/servercert@4a98c09#diff-50fc941f7be640a0bf58764b83d5d9e7

Looks like four new additions to the NSR and we've incorporated the NSR in the CP. The section interpretation is our own because the NSR is not in a RFC 3647 format.

  • Group accounts or shared role credentials shall not be used.

  • Good. CP Section 5.2.3 "All trusted roles shall use a unique credential created by or assigned to a single individual for identification and authentication."

  • Revised password requirements for trusted role access using a username or password.

  • Good. Both the Root and Issuer CPS require MFA for all trusted roles. Possibly consider updating CP to match MFA reference in CPS or add password requirements to keep it flexible and compliant. CP Section 5.2.3 "CAs shall implement multi-factor or multi-party authentication for all Administrator trusted role access to Certificate System Components including operating system and software."

  • Have a policy (vice require) for log out or lock when a workstation is no longer used.

  • Potential CP update. No CP or CPS reference of an inactivity log or lock. Only related to failed access attempts. CP 6.6.2 "All system accounts and trusted role accounts shall have be configured to lockout access after five (5) failed access attempts"

  • Have a procedure to configure (vice just configure) inactivity time-outs.

  • Potential CP update. Same as above. May not need to update CP if both root and issuer have an SOP to configure inactivity time-outs.
@weirdscience
Copy link
Contributor Author

These were integrated into CP v0.4.

@weirdscience weirdscience reopened this Mar 13, 2019
@weirdscience
Copy link
Contributor Author

Retract last statement. Did not make it in the v0.4.

@lachellel
Copy link
Contributor

I caught these in 28cea42

For a statement that says "have a policy" - USG has many policies including those defined and governed by DoD, NIST, OMB, DHS (govt wide), and other Agency level. As a practice, CA operator teams should not be develop/write local policies and can reference an existing govt policy.

@lachellel lachellel mentioned this issue Mar 25, 2019
Merged
@weirdscience
Copy link
Contributor Author

Looks like ready to close.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ready for Close Section 5 Section 6
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updates for Final v1.0 (draft) uspki/policies
2 participants
@lachellel @weirdscience