Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] VERY drafty alternative means statement

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] VERY drafty alternative means statement

Chronological Thread 
  • From: David Walker <>
  • To: InCommon AD Assurance Group <>
  • Cc: DHW <>
  • Subject: [AD-Assurance] VERY drafty alternative means statement
  • Date: Thu, 08 Aug 2013 16:57:30 -0700

In our last call, I said I'd take a stab at an alternatives means statement for the use of unapproved algorithms in AD.  As I got further into writing, though, I realized I'm really not sure what we're looking for and where in the IAP we need it.  Looking over our "gaps" table, I think we need this only in and for MS Kerberos's use of MD4-HMAC without a tunnel, that NTLMv2 is OK, so I've written it up that way.  Is that all we're concerned about, or are we also wanting to include weaker authentication protocols like NTLMv1 and unsigned/unencrypted LDAP?  I apologize that my memory of last week's discussion is not up to the task.

Anyway, take a look at , and we can talk about it tomorrow.  It has the arguments for allowing less than perfect security in AD; I just don't know what sections of the IAP we want to apply them to.

I also suggest that we make a pass over the gaps table to make sure it reflects our current thinking.  It'll make it easier for us keep track of what we still need to resolve.


Archive powered by MHonArc 2.6.16.

Top of Page