Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Updates to AD Cookbook 2013

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Updates to AD Cookbook 2013


Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Updates to AD Cookbook 2013
  • Date: Fri, 6 Sep 2013 17:33:24 +0000
  • Accept-language: en-US

>>> This was a reference to SHA-1 approval being discontinued as of January (as is currently being discussed on the parent Assurance list). I don’t know/remember if RC4 protocol usage is actually a concern in the context of SSL.

 

If your web server supported cipher suites include ssl_rsa_with_rc4_128_sha or ssl_rsa_with_rc4_128_MD5 then RC4 is being used.

 

SHA-1 may also be in use for digital signature verification (_SHA) and potentially could be OK for legacy use.  There has been discussion that SSLv3 internally uses MD5 as part of HMAC which would not meet Protected Channel, but I thought that was only for the (_MD5) cipher suite.

 

Neither RC4 nor MD5 were ever approved algorithms, but at least SHA-1 has legacy approval after 2013 for digital signature verification (not generating the digital signature like for an SSL certificate, but validating it).  So if SSL were to be granted an exception or alternative means to a Protected Channel, it might need to address more than just allowing RC4.

 

There may be some SSL certificates out there that have expiration dates far into the future that still need to be validated each time they are used to create the SSL connection.

 

--Jeff C.

 

From: [mailto:] On Behalf Of Eric Goodman
Sent: Friday, September 06, 2013 11:47 AM
To:
Subject: [AD-Assurance] RE: Updates to AD Cookbook 2013

 

One correction (problem with late night editing):

 

We may need an alternate means statement here to allow SSL/TLS using RC4.

    • need LDAPS instructions
    • we separately pointed out that standard SSL/TLS uses the RC4 cipher. This may STILL need an alternate means section here to justify its use until there's widespread adoption of newer SSL/TLS protocols, though following the assertion we made for 4.2.6.2.1, we can probably just declare interception as "impractical"

 

This should reference SHA-1. This was a reference to SHA-1 approval being discontinued as of January (as is currently being discussed on the parent Assurance list). I don’t know/remember if RC4 protocol usage is actually a concern in the context of SSL.

 

--- Eric


Archive powered by MHonArc 2.6.16.

Top of Page