Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Good point, Mark.  I'm happy leaving that section in.

David

On Mon, 2013-05-20 at 19:13 +0000, Rank, Mark wrote:
>     David: 
>     
>     
>     Thanks. I would agree with you comments. My reasoning to add the a descr of the committee is under the assumption that the alternate means may out live the committee. Thus describing it may have some utility for historic context. 
>     
>     
>     Regards,
>     Mark
>     
>     
>     --------------------------------------------------
>     Mark Rank
>     Project Manager - Identity & Access Mgt
>     UCSF Information Technology Services (ITS)
>     email: 
>     phn:414-331-1476
>     --------------------------------------------------

---

>     From:  [] on behalf of David Walker []
>     Sent: Monday, May 20, 2013 11:34 AM
>     To: 
>     Subject: Re: [AD-Assurance] To Do Item - Endorsement language..
>     
>     
>     
>     Mark,
>     
>     Maybe a little wordy, but I think it says the right things, so I'd leave it alone.  My one comment is with the "Interested Parties" section.  Does the AAC already recognize us as an advisory group?  (Probably a question for Ann.)  If so, then we probably don't have to explain who we are.
>     
>     David
>     
>     On Mon, 2013-05-20 at 16:41 +0000, Rank, Mark wrote:
> >         Folks...
> >         
> >         Here is a stab at an endorsement for the first alternate means ... It got wordy, but that is because I started out looking at an amicus brief for ideas on structure :). Feel free to suggest ruthless edits...
> >         
> >         Please advise,
> >         Mark
> >         
> >         -------------------------- begin draft -----------------------------
> >         
> >         Title:
> >         
> >         Endorsement by the AD Assurance Working Group in support of "Alternative Means for Satisfying Requirements 4.2.5.1, 4.2.5.2, and 4.2.8.2.1 in Active Directory Domain Services Environments" submitted by the University of Chicago.
> >         
> >         Introduction:
> >         
> >         This alternate means proposal involves a process by which credentials exposed to possible compromise through the use of unsigned, i.e. unencrypted, BINDs or the use of NTLMv1 are identified and become ineligible for Silver assertions within 72 hours of such use.
> >         
> >         Endorsement:
> >         
> >         In collaboration with representatives of the University of Chicago, the AD Assurance Working Group has reviewed the alternate means proposal. The working group found the proposal compatible with Identity Assurance Profile 1.2 and what the working group understands to be general accepted community practice. The working group wishes to endorse the proposal as one that would be both a practical solution and a benefit for the InCommon Assurance Program.
> >         
> >         Interested Parties:
> >         
> >         The AD Assurance Working Group is an ad-hoc working group of InCommon Federation representatives working on technical issues associated with compliance of Active Directory Domain Services and the InCommon Assurance Framework Profiles. The following working group members were involved with the review of the proposal and the final endorsement:
> >         
> >         Working Group Members
> >         
> >         <Name>, <Institution>
> >         Mark Rank, UCSF 
> >         
> >         -------------------------- end draft -----------------------------
> >         
> >         
> >         --------------------------------------------------
> >         Mark Rank
> >         Project Manager - Identity & Access Mgt
> >         UCSF Information Technology Services (ITS)
> >         email: 
> >         phn:414-331-1476
> >         -------------------------------------------------- 
> >     
>     
>