Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Applying FISMA to 800-63

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Applying FISMA to 800-63

Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] Applying FISMA to 800-63
  • Date: Tue, 30 Apr 2013 16:57:31 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

I was calling out that the Kantara Specs, while looser, are just as vague as InCommon’s or 800-63 as it applies to the definition of “equivalent” algorithms.


That said, I recognize that I’m not really adding anything to the conversation by calling this out; we’re all clear that this is still the sticking point. David called out several threads ago that we need to either recommend AD/RC4-HMAC be considered a FIPS 140-2 equivalent, or we need to ask Microsoft for an alternative, and Jeff has already provided proposed language that AD/RC4-HMAC be considered “good enough” through 2015, pending any breaches in the meantime.


I think I’ve been convinced for a while that RC4 is “good enough” for today. My hesitation in whole-heartedly supporting Jeff’s recommendation is that it sounds like RC4 strength against attacks is falling off fairly quickly, and it seems that there could well be an attack between now and 2015(ish) that could further compromise RC4 to the point where it’s not sufficient for Silver purposes.


Should such an event occur, anyone who has implemented an AD-DS-based IdP solution using the RC4-based elements would be dependent on Microsoft to provide a new solution (patches, etc), or could face a very challenging requirement of overhauling their Microsoft environment (e.g., pervasive Windows 8/2013 upgrades). Is there a reasonable warning/risk notice we could add to any Alternate Means language that would appropriately call out the (my?) perceived risk? Is that even appropriate for AM language? Or are we even in agreement that this is a real risk, as compared to a hypothetical that could apply as well to AES mechanisms?


The conversation with Microsoft may help with this part of my concern.


--- Eric


From: [mailto:] On Behalf Of Ann West
Sent: Tuesday, April 30, 2013 9:11 AM
Subject: Re: [AD-Assurance] Applying FISMA to 800-63




Kantara spec is technically comparable to ours and 800-63 and has been reviewed by FICAM as well. If they interpret things a bit looser in the requirements, it's a big clue that we can follow suit. 



I do note that this is a little looser than what we’ve been discussing, as it only applies to intra-IdP-service communication over public and unsecured networks.


--- Eric


Archive powered by MHonArc 2.6.16.

Top of Page