ad-assurance - RE: [AD-Assurance] Applying FISMA to 800-63
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Eric Goodman <>
- To: "" <>
- Subject: RE: [AD-Assurance] Applying FISMA to 800-63
- Date: Tue, 30 Apr 2013 16:57:31 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
|
I was calling out that the Kantara Specs, while looser, are just as vague as InCommon’s or 800-63 as it applies to the definition of “equivalent” algorithms. That said, I recognize that I’m not really adding anything to the conversation by calling this out; we’re all clear that this is still the sticking point. David
called out several threads ago that we need to either recommend AD/RC4-HMAC be considered a FIPS 140-2 equivalent, or we need to ask Microsoft for an alternative, and Jeff has already provided proposed language that AD/RC4-HMAC be considered “good enough”
through 2015, pending any breaches in the meantime. I think I’ve been convinced for a while that RC4 is “good enough” for today. My hesitation in whole-heartedly supporting Jeff’s recommendation is that it sounds
like RC4 strength against attacks is falling off fairly quickly, and it seems that there could well be an attack between now and 2015(ish) that could further compromise RC4 to the point where it’s not sufficient for Silver purposes.
Should such an event occur, anyone who has implemented an AD-DS-based IdP solution using the RC4-based elements would be dependent on Microsoft to provide a
new solution (patches, etc), or could face a very challenging requirement of overhauling their Microsoft environment (e.g., pervasive Windows 8/2013 upgrades). Is there a reasonable warning/risk notice we could add to any Alternate Means language that would
appropriately call out the (my?) perceived risk? Is that even appropriate for AM language? Or are we even in agreement that this is a real risk, as compared to a hypothetical that could apply as well to AES mechanisms?
The conversation with Microsoft may help with this part of my concern. --- Eric From: [mailto:]
On Behalf Of Ann West All, Kantara spec is technically comparable to ours and 800-63 and has been reviewed by FICAM as well. If they interpret things a bit looser in the requirements, it's
a big clue that we can follow suit. ------- I do note that this is a little looser than what we’ve been discussing, as it only applies to intra-IdP-service
communication over public and unsecured networks. --- Eric |
- Re: [AD-Assurance] Applying FISMA to 800-63, (continued)
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Eric Goodman, 04/26/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, Ann West, 04/29/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Rank, Mark, 04/29/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Eric Goodman, 04/29/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Rank, Mark, 04/30/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, Ann West, 04/30/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Eric Goodman, 04/30/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/30/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/30/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/30/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Rank, Mark, 04/29/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, Ann West, 04/29/2013
- RE: [AD-Assurance] Applying FISMA to 800-63, Capehart,Jeffrey D, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
- Re: [AD-Assurance] Applying FISMA to 800-63, David Walker, 04/25/2013
Archive powered by MHonArc 2.6.16.