SC22/WG15 N379 Extended Danish comments on the NP's for Security Amendments u22a12 2.POSIX WG Danish Standards (DS) Prepared prior to the WG15-meeting in may-93 1. Introduction Comments on the danish "NO" vote on the NP for POSIX Security Amendment. 2. Reason for "NO" vote: include authentication The scope of POSIX Security should at least include authentication as secure identification is a natural and nessecary part of a (secure) Operating System. Without authentication at login and later other OS-security mechanisms like auditing and Access Control Lists becomes somewhat obsolete. A programmatic interface (API) to security should include such a basic functionality as authentication, so that portable programs that supports different kinds of common security requirements, often beyond the traditional UNIX-implementation, can be written. In the danish legislation and the US DoD Password Management Guidelines (chapter 4 on authentication) there's a requirement of auditing of and immediate REACTION on a specified number of unsuccesfull login attempts. Other examples are time-of-day/week restricted login, change of id or privelege, stricter passwords, etc. I.E. it should be possible to write a strictly POSIX conforming login-program that therefore would be portable. As the world is becoming more and more (transparently) networked the need for appropiate security mechanisms AND for an authentication API accessible by networking programs and network-security systems are becoming more essential. The protocols and services developed in SC21-OSI and in the Kerberos project as in the OSF Distributed Computing Environment have to make use of an authentication service in the operating system. In lack of any relevant material in the POSIX Security WD provided by the US Member Body (IEEE) we suggest that the work done by X/open be used as a starting point. The danish POSIX-WG on Security, Conformance and Systemadministration (u22a11@dkuug.dk) believe it is essential to at least include authentication in the scope for basic POSIX Security as a placeholder and reminder AND to make it possible to include at least, due to time constraints, the most basic and simple authentication API. Other areas such as greater network awareness should also be included at some point in time.