Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

(As in: “No Really, *Just* In Time” edits…)

 

I put in the edits we discussed on the 6/14 call that I hadn’t gotten to for our 6/21 call.

 

The edits are all viewable in “version history” (https://spaces.internet2.edu/pages/diffpages.action?originalId=39420138&pageId=39420140 is the best link to use, as I had to make another minor edit after saving). The requested changes are:

 

·         Adding the IAP version number (1.2) to the first several references to the InCommon IAP

·         Moving descriptions of affected Windows versions into the Introduction (otherwise it’s largely unchanged)

·         Adding 4.2.8.2 to the list of IAP sections reviewed (since it is reviewed in the doc)

·         Clarifying that full disk encryption meets the standard of “decrypting <authentication> secrets only when immediately required for authentication” in our estimation

o   This involved correcting the quote from the IAP as well as adding our analysis

·         Pointing out that removing LMHASHes may not be technically required if full disk encryption is used.

·         Noting that the use of full disk encryption on DCs running on VMs is not supported by Microsoft

 

I also added these edits relevant to the recent conversation:

·         Clarified that NTLMv2 uses MD5 (not RC4)

·         Made reference to the definition of “impractical” added in 800-63-2 that we’ve been discussing.

o   Really, this runs counter to the original request that the language around use of NTLMv2 be changed to indicate that breaking NTLMv2 is impractical. Until we meet with Microsoft or the AAC, I’m not sure we’ll get a clear answer to this issue, so I’m not too worried about getting the language here correct just yet.

 

--- Eric