Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

In our last call, I said I'd take a stab at an alternatives means statement for the use of unapproved algorithms in AD.  As I got further into writing, though, I realized I'm really not sure what we're looking for and where in the IAP we need it.  Looking over our "gaps" table, I think we need this only in 4.2.5.1 and 4.2.5.2 for MS Kerberos's use of MD4-HMAC without a tunnel, that NTLMv2 is OK, so I've written it up that way.  Is that all we're concerned about, or are we also wanting to include weaker authentication protocols like NTLMv1 and unsigned/unencrypted LDAP?  I apologize that my memory of last week's discussion is not up to the task.

Anyway, take a look at https://spaces.internet2.edu/x/soB2Ag , and we can talk about it tomorrow.  It has the arguments for allowing less than perfect security in AD; I just don't know what sections of the IAP we want to apply them to.

I also suggest that we make a pass over the gaps table to make sure it reflects our current thinking.  It'll make it easier for us keep track of what we still need to resolve.

David