Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Friday's call

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Friday's call


Chronological Thread 
  • From: David Walker <>
  • To:
  • Cc: DHW <>
  • Subject: [AD-Assurance] Friday's call
  • Date: Wed, 17 Apr 2013 14:47:05 -0700
  • Authentication-results: sfpop-ironport02.merit.edu; dkim=pass (signature verified)

Everyone,

Given what we just learned this afternoon (that NASA has not certified their AD to 800-63, LoA-2), I propose we talk on Friday about high-level strategies for getting AD ready for Silver.

We've got at least the following strategies we can apply to IAP sections that give us trouble (i.e., ones for which we can't just describe an AD configuration that complies):

  • Ask Microsoft for a solution.  I suspect we won't discover anything we don't already know, but we should ask.  Microsoft might be able to tell us of future plans to resolve the issue.
  • Apply Ron's "monitor and mitigate" alternatives means.
  • Require passwords with higher entropy?  This only works if AD's technical weaknesses are riskier for shorter/less complex passwords.  (I'm not nearly enough of a cryptographer to know.)
  • Weaken Silver by allowing something that 800-63 does not.  This is suboptimal and may not pass FICAM (may not even pass the AAC, I suppose).
  • Temporarily weaken Silver by allowing something that 800-63 does not, for a limited period of time.  This might work if Microsoft has a solution waiting in the wings and FICAM is being moderately generous.

Other ideas for approaches?  Here are the IAP sections in our table.  I've included what I think our strategy is when I know it.

  • 4.2.3.4 - Stored Authentication Secrets (S).  Use AD on top of Bitlocker or some other compliant full-disk encryption.
  • 4.2.3.5 - Basic Protection of Authentication Secrets (B).
  • 4.2.3.6 - Strong Protection of Authentication Secrets (S).
  • 4.2.5.1 - Resist Replay Attack (B, S).  Monitor and mitigate alternative means (assuming approval).
  • 4.2.5.2 - Resist Eavesdropper Attack (B, S).  Monitor and mitigate alternative means (assuming approval).
  • 4.2.8.2.1 - Network Security (S). Monitor and mitigate alternative means (assuming approval).

Could we use "monitor and mitigate" for 4.2.3.5 and 4.2.3.6?  Higher entropy passwords?  Does Microsoft have something coming up that would help us?  Other ideas?

Looking forward to Friday's discussion.

David


Archive powered by MHonArc 2.6.16.

Top of Page