Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Good points, Eric.  Funny, I found myself typing "replay," instead of "eavesdrop" while writing those notes.  I think all of us got confused.

David

On Fri, 2013-10-04 at 22:58 +0000, Eric Goodman wrote:

I’d further note:

 

• 7.6: Protected Channels resist eavesdropper attacks, which is the requirement, not to preclude eavesdropper attacks.

 

Two notes:

 

1)    I think he’s actually responding to the previous section (7.5), because of the focus on the “replay attack”. If you note, my typo is that both sections end stating they “resist replay attacks” even though the second should say “resist eavesdropping”.

 

2)     I don’t think the issue is resisting vs. precluding replay. I think the question is about what is replayable/eavesdroppable. The password is clearly replayable. The packet containing the password is not, because the protected channel keeps it from being so. Similarly, the packet is clearly eavesdroppable, but the unencrypted ciphertext is what is not eavesdroppable. And the measure of “how hard does it need to be” is “it needs to be a protected channel”.

 

 

I don’t think I’m saying anything new in #2, I’m just focusing more on the requirement being “use protected channels” as compared to arguing resist vs. preclude. (The latter argument could lead you to using weaker cryptography that wouldn’t meet the IAP requirement).

 

--- Eric



 

From: [mailto:] On Behalf Of David Walker
Sent: Friday, October 04, 2013 10:35 AM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call

 

Everyone,

Quick notes from today's call at https://spaces.internet2.edu/x/wYGZAg .  Please correct my mistakes.

David