Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

I updated the page with most of the notes I had from this AM's discussion.

* Added a "document status" section to indicate this is a "draft for community review".

* Added some language in the first two paragraphs of the "scope" statement to clarify what we are NOT covering. (Gave specific example of HTTP as not addressed). The additional language is somewhat stilted, but hopefully gets the point across.

* Added link to SHA 1 draft 800-52 doc in Scope section

* Split interpretation of 4.2.3.6.1 in half, putting the first sentence description under section on "Encrypting Passwords" and second sentence under section on "Securing Authentication traffic". Added a note in both interpretations about why they were split. Note that the interpretation of the first sentence is technically new language (though it is extremely similar to the previously reviewed interpretation covering the second sentence. Also added 4.2.3.6.1 to the list of IAP sections reviewed.

* Interpretation of 4.2.3.6.2: fixed an incorrect reference to section 4.2.5 to say 4.2.3.6.3 (this to align with AAC corrections) that was overlooked in last week's edits. Changed "SASL" to "GSSAPI" in example "SPNEGO-like" mechanisms. Otherwise left unchanged.

* Interpretation of 4.2.3.6.3 updated to indicate that this section covers any handling of authentication secrets. Calls out that e.g. passwords are covered by both .2 and .3 while other secrets e.g., NTLMv2/Kerberos are covered only by .3. Added reference to transient handling of passwords within an application (and that such handling is out of scope of this document). MOST OF THE LANGUAGE HERE IS NEW based on this AM's call.

* Removed lots of "strikeout" text as agreed on the call.

* Changed "Compensating Controls" to "Controls" throughout

* In "configuration recommendations" for section 4.2.3.6.1, added Jeff's doc links to configuring kerberos encryption.

* In "configuration recommendations" for section 4.2.3.6.2, noted LDAPS can be enforced by blocking port 389, and that we don't have details for forcing TLS on port 389. Copied the note on potential impacts of disabling non LDAPS traffic from the earlier "Interpretation" section. NOTE: I followed the link in this note, and didn't find that it actually informed me of what the impacts are. Removed reference to SSL/TLS SHA1 issues. (since that's covered in the "Scope" section now).

* In "configuration recommendations" for section 4.2.3.6.3, added Jeff's doc links to requiring NTLMv2.

* In the glossary, added Authentication Credential (very simple definition), Authentication Secret (copied largely from interpretation of 4.2.3.6.2) and IdP (from the IAAF).