Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Notes from the May 24 AD Assurance call

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Notes from the May 24 AD Assurance call


Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Notes from the May 24 AD Assurance call
  • Date: Thu, 30 May 2013 23:42:07 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none

AD Cookbook edits

 

Despite starting my editing process at least an hour earlier than on previous weeks, my edits are barely complete before CoB for those of us on the west coast.

 

The edits were rather small at this point, but I hope they address the most recent round of comments.

 

I still haven’t done anything to the appendices.

 

Other AIs

 

I failed to complete my action item of consulting with David on “long term” vs “short term” authentication secrets. I will note that the IAP uses the term “plain text passwords” or “passwords” and not 800-63’s more general “authentication secrets”, which seems to support David’s argument that NTLMv2 and non-armored Kerberos meet the IAP “as is” for purposes of this portion of 4.2.3.5.2 (Basic Protection of Authentication Secret (B)), 4.2.3.6.1b/2 (Strong Protection of Authentication Secrets (S)).

 

However, given my failing to consult with David, I didn’t update the cookbook to reflect David’s response to my questions.

 

Kerberos Timeskew

 

According to RFC 4430 (http://tools.ietf.org/html/rfc4430), timeskew is a simple difference in clocks (i.e., ABS(time1-time2)). There is other interesting (but largely irrelevant to the “replay attack” issue) information about how clockskew will not necessarily cause logins to fail (see http://blogs.technet.com/b/askds/archive/2012/08/24/friday-i-mean-saturday-mail-sack-very-wordy-edition.aspx) but nothing that disagrees with the basic definition of how skew is calculated.

 

Unfortunately, learning this information didn’t really help in terms of understanding what our group recommendation is (assuming we have one) for how skew should be configured before we think a service should be considered to meet Silver requirements.

 

--- Eric

 

From: [mailto:] On Behalf Of Eric Goodman
Sent: Friday, May 24, 2013 10:37 AM
To:
Subject: [AD-Assurance] Notes from the May 24 AD Assurance call

 

Notes are online in the usual place. Action Items for Ron, Eric, Mark and to some extent David.

 

https://spaces.internet2.edu/display/InCAssurance/May+24%2C+2013

 

--- Eric


Archive powered by MHonArc 2.6.16.

Top of Page