Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

Can we make the statement that hardware based encrypted drives would be appropriate for AD servers?  

Whether that would extend to any file store for secrets would be beyond the cookbook, although implied.

Perhaps we are partially relying on having administrative rights to access the stored secrets.

Jeff

----- Reply message -----
From: "David Walker" <>
To: "" <>
Subject: [AD-Assurance] RE: Comment capturement
Date: Thu, Feb 6, 2014 11:02 am

This looks very good, Eric.  I made a small edit where you weren't sure who would review alternative means proposals.  It's the AAC.

I'd be tempted to add Ron's comment after the one about encrypting drives, and say that we believe it's a promising alternative means, but that review of such a proposal would be outside the scope of our AD Cookbook effort.

David

On Wed, 2014-02-05 at 17:28 +0000, Eric Goodman wrote:

Oh, a link might help…

 

https://spaces.internet2.edu/display/InCAssurance/Draft+responses+to+AD+20140115+public+comments

 

--- Eric

 

 

From: [mailto:] On Behalf Of Eric Goodman
Sent: Tuesday, February 04, 2014 4:44 PM
To:
Subject: [AD-Assurance] RE: Comment capturement

 

Okay, responding to my own response to my own message…

 

I’ve gathered the questions and drafted responses to each of them. Note that in response to Warren’s question I found two edits I was supposed to make that I hadn’t. Yikes – hopefully they are the only ones! I’ll double check the current draft against the rest of the notes I took. The missing edits are noted in the draft response (have I mentioned how much I hate the error prone confluence editor?) – I can move each of them to their own errata line – i.e., make them separate “comments” if that makes more sense.

 

I still owe a request to the AAC to review our interpretations in the RC draft.

 

--- Eric

 

From: [] On Behalf Of Eric Goodman
Sent: Tuesday, February 04, 2014 1:35 PM
To:
Subject: [AD-Assurance] RE: Comment capturement

 

Further followup:

 

Should Ron’s comment about bitlocker be considered a comment (in the public comments page I’m creating), or should I leave it off? I think that leaving it off is okay given (a) we decided he’d address via an AM (which we should add if an when it’s approved) and (b) Robert Mackin’s question about self-encrypting drives – which I’ve already captured – would seem to duplicate the essence of Ron’s comment anyway.

 

--- Eric

 

From: [] On Behalf Of Eric Goodman
Sent: Tuesday, February 04, 2014 12:26 PM
To:
Subject: [AD-Assurance] Comment capturement

 

More list noise:

 

On our previous drafts, we created a “comments” page, rather than collecting comments in-line (using the Confluence “comments” feature). I’m assuming this is what’s intended here. I don’t see any such existing page, so I’ll go ahead and create one. Please redirect me if there’s an existing location for these comments!

 

--- Eric