Hi. NIST (National Institute of Standards & Technology in the US) maintains a series of documents describing how government security technology must be evaluated and implemented. One of the primary documents in the government's portfolio is called "NIST SP800-63 Electronic Authentication Guideline" and the requirements for implementing e-authentication for the government:
http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf As you might know, NIST is in the process of updating NIST SP800-63 E-Authentication Guideline to broaden the scope of the document to include assertion based technologies etc. The first comment period has been January but it seems they are still looking for more input. It would probably be a good idea to compile requests/comments as a community and send it off to them. Of particular interest to me is the interpretation of password entropy requirements etc. for Level 1 authentication. I am quite sure that we can achieve similar with more modern techniqus like risk based authentication etc. I am sure that there are bunch of other topics as well. It is great if you can start discussing those points in conjunction with perhaps wiki. I have also created an empty wiki page for it as well: http://wiki.openid.net/NIST_SP800-63rev1_comments So, please start discussing online, and perhaps you can do f2f as well at iiw, though I cannot come unfortunately (because of the H1N1 hysteria in Japan.) Cheers, Nat Sakimura (=nat) http://www.sakimura.org/en/ _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
