...
Number | Line / Reference | Proposed Change or Query | Proposer | Action / Decision (please leave blank) |
---|---|---|---|---|
1 | General | The proposal sticks quite closely to NIST's guidelines (https://pages.nist.gov/800-63-3/sp800-63b.html) - it would be helpful to add a statement on whether these guidelines are in line with NIST 800-63B to allow people to self audit more easily | Hannah Short (CERN) | All NIST references were removed from the main document to avoid the impression that there is a connection to the NIST guidelines. Only the terminology used is aligned with NIST which is stated in the newly created appendix A. |
2 | Chapter 4, Table | Could those pools be opened, from where this amount of characters is taken from? Like "e.g. 52 letters (a-z)(A-Z)" | Sami Silén (CSC) | Appendix B was added which contains some examples of character sets. |
3 | Chapter 4, Table | Kind of minor notice, but might be something to open up a little bit. Reading this table after reading this NIST guidelines, I had problems to understand that second line in each "Authenticator type". It didn't mean secrets chosen randomly by the CSP (Which was the assumption I had got from the NIST document). Both of lines are subscriber chosen and length is just different because of wider pool. | Sami Silén (CSC) | Appendix A was added which defines the authenticator types used in the profile. This avoids the need to look into the NIST guidelines. Appendix B provides some examples, which should make it clear how to use the table. |
4 | Chapter 4, list | Suggest giving the required conditions names, so they can be referenced. E.g. SFA-1 (secret strength), SFA2 (secret lifetime), SFA3 (replacement). Not sure if it's worth referring to the sub-options. | Jens Jensen (STFC) | The unordered list in section 4 has been replaced by a numbered list for easy referencing. |