Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

As you know, the AAC discussed our IAP requirement interpretations earlier this week.  They agreed with all of our interpretations, except for 4.2.5.2 Resist Eavesdropper Attack.  Here are some notes from the discussion.

• In our interpretation of Section 4.2.3.6.1 Strong Protection of Authentication Secrets (subsection .1), we should clarify that we're only talking about passwords used by the IdP.
• The AAC accepted our interpretation of Section 4.2.3.6.2 Strong Protection of Authentication Secrets.  The interpretation, however, includes information that can be used to "...practically determine a user's password...," but the issue of practicality is not mentioned in that IAP section, so it should be removed from the interpretation.
• Also in Section 4.2.3.6.2, we should define what SPNEGO is.
• The AAC disagreed with our interpretation of Section 4.2.5.2 Resist Eavesdropper Attack. The first paragraph of this interpretation should be changed to say something like, "This section refers specifically to traffic between the Subject and the IdP, the IdP's Verifier, and/or a relying party. All other traffic to the AD DS is beyond the scope of 4.2.5.2."

  See the text of section 4.2.5 ("The Subject interacts with the IdP to prove that he or she is the holder of a Credential, enabling the subsequent issuance of Assertions.") for the intended scope. Section 4.2.3.6.3 covers other authentication traffic, requiring that "...the IdPO must have appropriate policies and procedures in place to minimize risk from this exposure."

• The AAC would like to have us add a little text describing what would comprise "impractical" in 4.2.5.1 and 4.2.5.2.  For example, we could mention use of Protected Channels and/or vendor attention to mitigating exploits as they appear in the wild.  This text will be helpful for others assessing compliance with these sections.

We can discuss this further in tomorrow's call.

David