ad-assurance - Re: [AD-Assurance] VERY drafty alternative means statement
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Ann West <>
- To: "" <>
- Subject: Re: [AD-Assurance] VERY drafty alternative means statement
- Date: Mon, 12 Aug 2013 19:39:22 +0000
- Accept-language: en-US
I concur that we need to follow what the IAP requires and not assume that it means more than it explicitly says. We have enough water to boil as it is.
Ann
From: "Michael W. Brogan" <>
Reply-To: "" <> Date: Friday, August 9, 2013 6:52 PM To: "" <> Subject: RE: [AD-Assurance] VERY drafty alternative means statement I have no disagreement with your statement from an overall risk management perspective, but that isn’t necessarily the same thing as what the IAP
requires. I just thought it curious that the language in 4.2.5 seemed focused on IdP authentication events and it doesn’t mention non-IdP applications at all. In risk management exercises I look for cost-effective security. Investing a lot to replace/upgrade weak crypto while interfering with business operations
is worth it only if eavesdropping, man-in-the-middle, session hijacking, and replay attacks are frequent avenues to credential compromise. But that doesn’t appear to be the case, despite all the potential threats that exist. The biggest problem at the UW (and
I suspect many institutions) is that attackers ask users for their passwords and the users comply. I’m off on vacation for the next 10 days, so I’ll miss any interesting discussion about this that might come up on the next call. --Michael From:
[]
On Behalf Of David Walker Interesting point. A principle I've always used is that credentials must be protected independent of where they may be stored or used. So, it really doesn't matter, for example, if a password is exposed by unencrypted LDAP between the
IdP and the Verifier, or in some other authentication event. It's still the the credential, and it's still been exposed. To more directly answer the question you asked, yes, the argument is for the “inclusive and” and under that interpretation you’d do LDAPS and be done. In other places in the IAP there are specific references
to non-IdP apps, but not in section 4.2.5. Why did the authors call this out in some sections and not others? Just an oversight? Or maybe they had a narrower interpretation in mind and it was intentional.
|
- [AD-Assurance] VERY drafty alternative means statement, David Walker, 08/08/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Michael W. Brogan, 08/09/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Eric Goodman, 08/09/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Michael W. Brogan, 08/09/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Ron Thielen, 08/09/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Michael W. Brogan, 08/09/2013
- Re: [AD-Assurance] VERY drafty alternative means statement, David Walker, 08/09/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Michael W. Brogan, 08/09/2013
- Re: [AD-Assurance] VERY drafty alternative means statement, Ann West, 08/12/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Michael W. Brogan, 08/09/2013
- Re: [AD-Assurance] VERY drafty alternative means statement, David Walker, 08/09/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Eric Goodman, 08/09/2013
- RE: [AD-Assurance] VERY drafty alternative means statement, Michael W. Brogan, 08/09/2013
Archive powered by MHonArc 2.6.16.