Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] MS Joining AD Assurance Calls

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] MS Joining AD Assurance Calls

Chronological Thread 
  • From: Ann West <>
  • To: "" <>
  • Subject: [AD-Assurance] MS Joining AD Assurance Calls
  • Date: Fri, 21 Jun 2013 15:04:28 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

Follow up on my MS AI and the discussions going on above my pay grade. ;)

I have responded to Phil with our call schedule and info.

On 6/21/13 9:56 AM, "Phil West"

>Thanks, John. (Hello, Ann!)
>I have reached out to several folks, and I will include these names that
>you provided.
>I am mustering the right folks to identify resources that can help in the
>discussion, and who can help to gauge the proper action plans.
>We have an internal call today to discuss these topics.
>Once I hear back from the various contact points throughout Microsoft - I
>will reach back to schedule a conf call to dive into these questions
>live. We will shoot for this happening as soon as possible.
>I *hope* to get something on next week's schedule, but I am at the mercy
>of end-of-fiscal calendars (we end our fiscal on June30), as well as
>vacations. I will keep your team updated on our progress.
>Thanks again for sending this info...
>-----Original Message-----
>From: John Krienke
>Sent: Thursday, June 20, 2013 10:42 PM
>To: Phil West
>Cc: Shelton Waggener; Ken Klingenstein; Andrew Keating; Elaine Alejo;
>Khalil Yazdi; Kristin Rhodes; Adrian Wilson; Bill Hagen; Chris Niehaus;
>Lamont Harrington; Gregory Katz; Ann West
>Subject: Re: FOLLOW-UP: MSFT/Internet2 Sync Call
>Thanks for the kick off and the great summary of our call. Response below.
>On 6/12/13 2:52 PM, Phil West wrote:
>> * John mentioned that several documents existed - a historical "known
>> with AD and InCommon, the master updated list of issues identified,
>>and an
>> updated cookbook for AD with InCommon (I did find an older "silver"
>> _online_
>> <>
>> )
>> Next Steps:
>> * If I could get access to John's and Nate's documents, then our
>>group can
>> digest them and schedule a quick follow-up discussion with the
>> Team (and others who wish to join) - estimate a call to be
>>scheduled during
>> the week of June 24^th -28^th .
>I'm forwarding on our top priority item for resolution and have cc'd Ann
>West who directs our Assurance program. We're looking forward to meeting
>asap the week of the 24-28 to delve into a solution with the right folks
>on both of our sides.
>Currently, Microsoft Active Directory Domain Services has issues with
>compliance with our US Government-approved Identity Assurance Profiles
>and can not be used as an authentication methodology in a federated
>context with Federal Agencies without developing alternative means for
>our specification. Most research universities will be looking to adopt
>Profiles over the next couple years as the federal agencies that issue
>grants begin to require identity assurance via the Federal ICAM program.
>Diving several layers down, the key issue is that NTLMv1 has replay,
>eavesdropper, and protected channel vulnerabilities as defined by NIST.
>Use of
>NTLMv1 thus invalidates the assurance associated with a given digital
>identity (user account), unless alternatives means to mitigate these
>vulnerabilities is employed.
>We have a group developing the alternative means and recommended
>practices for campuses wishing to use AD-DS, but we need an AD-DS expert
>to help with our analysis and have a set of questions:
>Individuals we have identified that could assist with these questions
>Dean Wells, PM AD-DS
>Tim Myers, Security Program Manager, Common Criteria and FIPS 140-2
>Security Evaluations Aaron Margosis and Mark Simos of MCS Americas
>Cybersecurity Team
>The timing here is short: We need help by mid July so we can conduct
>community review, update the InCommon Spec, and release the practice
>recommendations by the time schools starts in the fall.
>Ann can also forward on the master issues list, though this above is our
>top priority.
>Thanks for being the catalyst and megaphone for our common goals.

  • [AD-Assurance] MS Joining AD Assurance Calls, Ann West, 06/21/2013

Archive powered by MHonArc 2.6.16.

Top of Page