ad-assurance - Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
Chronological Thread
- From: Eric Goodman <>
- To: "<>" <>
- Subject: Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
- Date: Sat, 30 Mar 2013 14:45:57 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
|
I think that the description is a good one. My only suggestion is that the language more clearly qualify that the monitoring requirement/suggestion is around practices under the direct control of the IdP operator; I'm assuming that's the actual intent
here. I.e., monitoring for LM hash logins to AD is expected for an AD-DS-based IdP, but monitoring for passwords being posted on bulletin boards is not.
My main point is: there are IdP-enabled mechanisms that are non-compliant, and there are things a person could do that are non-compliant in general, and I assume we're only talking about the IdP-enabled mechanisms (like LM, unsigned/un-TLSed LDAP binds).
I expect this is a clear distinction here, just want to ensure it's not misinterpreted when shared with a broader audience.
--- Eric Eric Goodman
On Mar 29, 2013, at 11:15 AM, "David Walker" <> wrote:
|
- [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, David Walker, 03/29/2013
- Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, Eric Goodman, 03/30/2013
Archive powered by MHonArc 2.6.16.