Meeting the InCommon Assurance profile criteria using Active Directory

["Rank, Mark" <>]

David et al.:

I like the edits and especially like the background section as a way to address the federal context...

One wordsmithing proposal for consideration

"Currently, it is not very practical to crack RC4 HMAC, even though it has long-known vulnerabilities.  If that were to change (e.g., a simple crack program posted on the Internet), what would be Microsoft's response to protect its customers?"

to 

Currently, it is not very practical to crack RC4 HMAC, even though it has long-known vulnerabilities.  If that were to change (e.g., a simple crack program posted on the Internet), does Microsoft have a response procedure for such compromises? How will this procedure protect Microsoft's customers that may be operating at LoA-2 via an alternate means exception?"

Otherwise I think it looks great.

Regards,

Mark

--------------------------------------------------

Mark Rank
Project Manager - Identity & Access Mgt

UCSF Information Technology Services (ITS)
email:

phn:414-331-1476

--------------------------------------------------

---

From: [] on behalf of David Walker []
Sent: Friday, May 03, 2013 3:29 PM
To: InCommon AD Assurance Group
Cc: DHW
Subject: [AD-Assurance] Notes from today's AD Assurance call

Everyone,

Quick notes from this morning's AD Assurance call are on the wiki at https://spaces.internet2.edu/x/uAVOAg .  I've also revised our questions for Microsoft page ( https://spaces.internet2.edu/x/6oE_Ag ) to reflect the discussion.  Please review the questions by Tuesday, May 7, to correct any errors I've made.

David