Meeting the InCommon Assurance profile criteria using Active Directory

[Ann West <>]

Follow up on my MS AI and the discussions going on above my pay grade. ;)

I have responded to Phil with our call schedule and info.

On 6/21/13 9:56 AM, "Phil West" 
<>
 wrote:

>Thanks, John.  (Hello, Ann!)
>
>I have reached out to several folks, and I will include these names that
>you provided.
>I am mustering the right folks to identify resources that can help in the
>discussion, and who can help to gauge the proper action plans.
>
>We have an internal call today to discuss these topics.
>
>Once I hear back from the various contact points throughout Microsoft - I
>will reach back to schedule a conf call to dive into these questions
>live.  We will shoot for this happening as soon as possible.
>
>I *hope* to get something on next week's schedule, but I am at the mercy
>of end-of-fiscal calendars (we end our fiscal on June30), as well as
>vacations.  I will keep your team updated on our progress.
>
>Thanks again for sending this info...
>
>-Phil
>
>-----Original Message-----
>From: John Krienke 
>[mailto:]
>Sent: Thursday, June 20, 2013 10:42 PM
>To: Phil West
>Cc: Shelton Waggener; Ken Klingenstein; Andrew Keating; Elaine Alejo;
>Khalil Yazdi; Kristin Rhodes; Adrian Wilson; Bill Hagen; Chris Niehaus;
>Lamont Harrington; Gregory Katz; Ann West
>Subject: Re: FOLLOW-UP: MSFT/Internet2 Sync Call
>
>Phil,
>
>Thanks for the kick off and the great summary of our call. Response below.
>
>On 6/12/13 2:52 PM, Phil West wrote:
>>   * John mentioned that several documents existed - a historical "known
>>issues"
>>     with AD and InCommon, the master updated list of issues identified,
>>and an
>>     updated cookbook for AD with InCommon (I did find an older "silver"
>>edition
>>     _online_ 
>> <https://spaces.internet2.edu/display/InCAssurance/AD+Silver+Cookbook>
>> )
>...
>> Next Steps:
>>
>>   * If I could get access to John's and Nate's documents, then our
>>group can
>>     digest them and schedule a quick follow-up discussion with the
>>Technical
>>     Team (and others who wish to join) - estimate a call to be
>>scheduled during
>>     the week of June 24^th -28^th .
>
>
>I'm forwarding on our top priority item for resolution and have cc'd Ann
>West who directs our Assurance program. We're looking forward to meeting
>asap the week of the 24-28 to delve into a solution with the right folks
>on both of our sides.
>
>Currently, Microsoft Active Directory Domain Services has issues with
>compliance with our US Government-approved Identity Assurance Profiles
>and can not be used as an authentication methodology in a federated
>context with Federal Agencies without developing alternative means for
>our specification. Most research universities will be looking to adopt
>Profiles over the next couple years as the federal agencies that issue
>grants begin to require identity assurance via the Federal ICAM program.
>
>Diving several layers down, the key issue is that NTLMv1 has replay,
>eavesdropper, and protected channel vulnerabilities as defined by NIST.
>Use of
>NTLMv1 thus invalidates the assurance associated with a given digital
>identity (user account), unless alternatives means to mitigate these
>vulnerabilities is employed.
>
>We have a group developing the alternative means and recommended
>practices for campuses wishing to use AD-DS, but we need an AD-DS expert
>to help with our analysis and have a set of questions:
>https://spaces.internet2.edu/display/InCAssurance/Questions+for+Microsoft.
>
>Individuals we have identified that could assist with these questions
>include:
>
>Dean Wells, PM AD-DS
>Tim Myers, Security Program Manager, Common Criteria and FIPS 140-2
>Security Evaluations Aaron Margosis and Mark Simos of MCS Americas
>Cybersecurity Team
>
>The timing here is short: We need help by mid July so we can conduct
>community review, update the InCommon Spec, and release the practice
>recommendations by the time schools starts in the fall.
>
>Ann can also forward on the master issues list, though this above is our
>top priority.
>
>Thanks for being the catalyst and megaphone for our common goals.
>
>john.
>
>
>
>
>