NIST preview SP 800-63-3

11 views
Skip to first unread message

Linda Toth

unread,
May 10, 2016, 4:13:13 PM5/10/16
to cas-...@apereo.org
Hello CAS developers

Does the intent to remove tokens (as insecure authenticators) from NIST Digital Authentication Guidelines affect CAS going forward?

Linda

Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775

Fredrik Jönsson

unread,
May 11, 2016, 3:23:56 AM5/11/16
to Linda Toth, cas-...@apereo.org
Is there some more substantial information about this available somewhere?

/Fredrik

--
Fredrik Jönsson, M.Sc.
System Architect

KTH Royal Institute of Technology
University Administration
IT-avdelningen
Drottning Kristinas väg 48, SE-100 44 Stockholm, Sweden
Phone: +46-8-790 66 03
Mobile: +46-73-595 66 03
E-mail: f...@kth.se
Web: https://www.kth.se/profile/fjo

Twitter: https://twitter.com/fredrikjn
LinkedIn: http://se.linkedin.com/in/fredrikjn
> --
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To post to this group, send email to cas-...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOi1v6P-t12cZhePuO_a%2B8VTXjCN_%3Dzs%2B72JYCVxCe8wqATreA%40mail.gmail.com.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Fredrik Jönsson

unread,
May 11, 2016, 5:32:48 AM5/11/16
to Linda Toth, cas-...@apereo.org
Do I understand it correctly if I believe that they’ve *renamed* tokens to ”authenticators” in the last draft? Not *removed* them at all? The text otherwise appears approximately the same to me from a quick glance, but It’s more than likely that I’m missing something, and I’d be happy to learn.

https://pages.nist.gov/800-63-3/sp800-63-3/sec3_definitions.html

"Authenticator
Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. In previous versions of this guideline, this was referred to as a token."

Could you elaborate a bit? What are the implications you see and want clarified?

Regards,
/Fredrik

--
Fredrik Jönsson, M.Sc.
System Architect

KTH Royal Institute of Technology
University Administration
IT-avdelningen
Drottning Kristinas väg 48, SE-100 44 Stockholm, Sweden
Phone: +46-8-790 66 03
Mobile: +46-73-595 66 03
E-mail: f...@kth.se
Web: https://www.kth.se/profile/fjo

Twitter: https://twitter.com/fredrikjn
LinkedIn: http://se.linkedin.com/in/fredrikjn

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/470E74DE-B931-4BC5-9D5C-52DAA634CF84%40kth.se.
Reply all
Reply to author
Forward
0 new messages