[security] Public Comment Preparation to draft NIST SP800-63 rev.1 Dec 2008
Nat Sakimura
sakimura at gmail.com
Tue May 12 08:31:31 UTC 2009
Hi.
NIST (National Institute of Standards & Technology in the US) maintains
a series of documents describing how government security technology
must be evaluated and implemented. One of the primary documents
in the government's portfolio is called "NIST SP800-63 Electronic
Authentication Guideline" and the requirements for implementing
e-authentication for the government:
http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf
As you might know, NIST is in the process of updating NIST SP800-63
E-Authentication Guideline to broaden the scope of the document to include
assertion based technologies etc. The first comment period has been
January but it seems they are still looking for more input. It would probably
be a good idea to compile requests/comments as a community and
send it off to them.
Of particular interest to me is the interpretation of password entropy
requirements etc. for Level 1 authentication. I am quite sure that we
can achieve
similar with more modern techniqus like risk based authentication etc.
I am sure that there are bunch of other topics as well.
It is great if you can start discussing those points in conjunction with
perhaps wiki. I have also created an empty wiki page for it as well:
http://wiki.openid.net/NIST_SP800-63rev1_comments
So, please start discussing online, and perhaps you can do f2f as well at
iiw, though I cannot come unfortunately (because of the H1N1 hysteria
in Japan.)
Cheers,
Nat Sakimura (=nat)
http://www.sakimura.org/en/
More information about the security
mailing list