← CABF Ballot Browser
SC-003 passed

Ballot SC003: Two-Factor Authentication and Password Improvements

Server Certificate Working Group

Key dates

Effective date
01 Apr 2020 6 years ago
Voting opened
09 Aug 2018 7 years ago
Voting closed
16 Aug 2018 7 years ago
Discussion opened
26 Jul 2018 7 years ago
Discussion closed
09 Aug 2018 7 years ago

AI Summary

Generated 2026-06-23 21:24 UTC

Ballot overview

  • Ballot SC003: Two-Factor Authentication and Password Improvements in the Server Certificate Working Group.
  • The ballot page states that the voting period ended and the ballot passed.
  • Voting results shown on the page:
    • 17 yes votes from CAs, 0 no votes, 0 abstain.
    • 5 yes votes from browsers, 0 no votes, 0 abstain.
    • Quorum was met.
    • The approval thresholds for CAs and browsers were met.
    • At least one CA member and one browser member voted in favor.

Main policy changes

  • Adds definitions for Multi-Factor Authentication and Secure Key Storage Device.
  • Requires group accounts or shared role credentials not be used for accountability purposes when authenticating to Certificate Systems.
  • Revises username and password controls for Trusted Roles, including:
    • 12-character passwords for accounts accessible only within Secure Zones or High Security Zones.
    • Multi-Factor Authentication for authentications crossing a zone boundary into a Secure Zone or High Security Zone.
    • For accounts accessible from outside a Secure Zone or High Security Zone, passwords must be at least 8 characters, not be one of the user’s previous four passwords, and account lockout must be implemented in accordance with the lockout subsection.
    • CAs should consider NIST 800-63B Appendix A when developing password policies.
    • If a CA has a policy requiring routine periodic password changes, that period should not be less than two years.
  • Changes section 2.h to require a policy that requires, and section 2.i to require a procedure to configure.
  • Revises account lockout to no more than five failed access attempts, subject to technical and security limitations.
  • Requires Multi-Factor Authentication for all Trusted Role accounts on Certificate Systems accessible from outside a Secure Zone or High Security Zone, including those approving certificate issuance and Delegated Third Parties.

Timing and implementation

  • The ballot text gives a two-year grace period for password policy improvements.
  • It also states that effective April 1, 2020, if the CA has any policy that requires routine periodic password changes, that period shall not be less than two years.

Result

  • The ballot passed and became normative.
  • No exclusion notices are mentioned in the supplied evidence.
Model: gpt-5.4-mini Confidence: 0.98 Result: passed
Effective date
2020-04-01
Voting opened
2018-08-09
Voting closed
2018-08-16
Discussion opened
2018-07-26
Discussion closed
2018-08-09
Applicability and conditions

2020-04-01 — The routine periodic password change period must not be less than two years. If the CA has any policy that requires routine periodic password changes

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Proposers

Tim Hollebeek of DigiCert and endorsed by Dimitris Zacharopoulos of Harica and Neil Dunbar of TrustCor.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC003: Two-Factor Authentication and Password ImprovementsBallot SC003: Two-Factor Authentication and Password ImprovementsThe voting period for Ballot SC3 has ended, and the ballot has PASSED. Here are the results.

View on cabforum.org → Last fetched 15 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action