Ballot 221 – Two-Factor Authentication and Password Improvements

Server Certificate Working Group

Key dates

Voting opened: 17 May 2018 8 years ago
Voting closed: 24 May 2018 8 years ago
Discussion opened: 28 Mar 2018 8 years ago
Discussion closed: 17 May 2018 8 years ago

AI Summary

Generated 2026-06-23 21:24 UTC

Ballot outcome

Ballot 221 has ended and the ballot has failed.
Voting by CAs: 6 yes votes, 0 no votes, 0 abstain.
Voting by browsers: 0 yes votes, 1 no vote, 0 abstain.
Quorum was not met because 10 votes were required and only 7 votes participated.
The ballot also did not meet the approval requirement because it was not approved by browsers.
At least one CA member and one browser member did not both vote in favor, so the ballot was not adopted.

Purpose

The ballot was intended to update the Network and Certificate System Security Requirements.
The stated goals were to require two-factor authentication and improve password requirements in line with more recent NIST guidance.
The page says CAs were encouraged to improve password requirements as soon as possible, with a two year grace period to allow organizations to develop and implement policies.

Proposed changes

Add definitions for Multi-Factor Authentication and Secure Key Storage Device.
Capitalize all uses of Multi-Factor Authentication.
Update section 2.f. to prohibit group accounts or shared role credentials for accountability purposes.
Update section 2.g. to:
- require at least 12 characters for passwords used only within Secure Zones or High Security Zones,
- require Multi-Factor Authentication for authentications crossing a zone boundary into a Secure Zone or High Security Zone,
- require at least 8 characters, no reuse of the previous four passwords, and account lockout for accounts accessible from outside a Secure Zone or High Security Zone,
- take NIST 800-63B Appendix A into account when developing password policies,
- if periodic password changes are required, make the period at least two years.
The motion states: Effective April 1, 2020, if passwords are required to be changed periodically, that period SHALL be at least two years.
Update sections 2.h. and 2.i. to change wording from Require and Configure to more procedural language.
Update section 2.k. to require lockout after no more than five failed access attempts, subject to listed security conditions.
Update section 2.n. to enforce Multi-Factor Authentication for all Trusted Role accounts on Certificate Systems accessible from outside a Secure Zone or High Security Zone, including those approving certificate issuance and delegated third parties.

Timing in the ballot procedure

Discussion period: 2018-03-28 15:00:00 EDT to 2018-05-17 17:45:00 EDT.
Vote period: 2018-05-17 17:45:00 EDT to 2018-05-24 17:45:00 EDT.

Model: gpt-5.4-mini Confidence: 0.99 Result: failed

Voting opened: 2018-05-17
Voting closed: 2018-05-24
Discussion opened: 2018-03-28
Discussion closed: 2018-05-17

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Proposers

Tim Hollebeek of DigiCert and endorsed by Dimitris Zacharopoulos of Harica and Neil Dunbar of TrustCor.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot 221 – Two-Factor Authentication and Password ImprovementsBallot 221 – Two-Factor Authentication and Password ImprovementsThe voting period for Ballot 221 has ended and the ballot has failed. Here are the results.

View on cabforum.org → Last fetched 16 hours ago