Subject: Meeting the InCommon Assurance profile criteria using Active Directory
- From: Eric Goodman <>
- To: "" <>
- Subject: [AD-Assurance] RE: AD Cookbook
- Date: Sat, 5 Apr 2014 00:09:58 +0000
- Accept-language: en-US
I’ve made the next pass of edits. There were more than on my last “to do” because I uncovered older “to do’s” from the first discussion with the AAC that hadn’t been made yet. Because some of the changes required significant wording (Protected Channels => strong protection) or structure changes (removing sections referring to 126.96.36.199.3 and adding content to 188.8.131.52.2) it turned out to be a bit more extensive an edit than I had hoped, but hopefully not too controversial.
To see specific changes, compare version 5 to the current version (as I write this, the “revised” in the link is the current version, but that number changes over time as I fix typos and formatting errors (have
I mentioned how much I hate the confluence editor?)):
Summary of changes:
· Cookbook 3 Approach and Overview of Findings
o Added reference to “strong protection” requirements (beyond just “Protected Channels”).
· Cookbook 4.1.2 and 4.1.2: Interpretation of IAP 184.108.40.206 and 220.127.116.11.1
o Added language that calls out that IdMS Operations accounts are subject to these requirements (via reference to IAP 18.104.22.168.2)
· Cookbook 4.2.1 Problem Statement (under “Securing Authentication Traffic”)
o Munged the language around to (try to) say that “strong protection” is required and that “Protected Channels” are given as an example of strong protection. (Removed language that indicated that Protected Channels were required).
o Updated final note to refer to 800-63-2 (instead of 800-63-1) and replaced “impractical to break” with “strong protection” in some cases. (Response to Warren Anderson’s comments).
· Cookbook 4.2.3: Interpretation of IAP 22.214.171.124.2
o Added point that this requirement is specific to Network Transmission of secrets.
o Removed incorrect references to IAP 126.96.36.199.3.
o Reworded the second note to clean up confusing language (unrelated to recent edits).
· Cookbook 4.2.4: Interpretation of IAP 188.8.131.52.3
o Reworded section to give our updated interpretation, while calling out that it is explicitly out of scope for the cookbook.
· Cookbook 4.2.5 and 4.2.6: Interpretation of IAP 184.108.40.206/2
o Changed to reflect Tom Barton’s input that IAP 220.127.116.11.2 does not have any specific replay or eavesdropping resistance requirements.
o Removed reference to IAP 18.104.22.168.3
· Cookbook 5.2.2 and 5.2.3: Recommendations for meeting IAP 22.214.171.124.2/3
o Removed section heading for IAP 126.96.36.199.3 and merged in its content to the section for IAP 188.8.131.52.2 (since per Tom’s clarification, all network transmission cases are addressed in the .2 section)
o Added language from David’s email calling out the main points we want to get across in the face of the new interpretations.
· Cookbook 7.3 and 7.4: Sample Management Assertions for IAP 184.108.40.206.2/3
o Again, merged all content into the IAP 220.127.116.11.2 section and removed the IAP 18.104.22.168.3 section.
- [AD-Assurance] AD Cookbook, Eric Goodman, 04/04/2014
- [AD-Assurance] RE: AD Cookbook, Capehart,Jeffrey D, 04/04/2014
- [AD-Assurance] RE: AD Cookbook, Eric Goodman, 04/05/2014
Archive powered by MHonArc 2.6.16.