Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

Hi all,

 

I’ve made the next pass of edits. There were more than on my last “to do” because I uncovered older “to do’s” from the first discussion with the AAC that hadn’t been made yet. Because some of the changes required significant wording (Protected Channels => strong protection) or structure changes (removing sections referring to 4.2.3.6.3 and adding content to 4.2.3.6.2) it turned out to be a bit more extensive an edit than I had hoped, but hopefully not too controversial.

 

To see specific changes, compare version 5 to the current version (as I write this, the “revised” in the link is the current version, but that number changes over time as I fix typos and formatting errors (have I mentioned how much I hate the confluence editor?)):

     https://spaces.internet2.edu/pages/diffpagesbyversion.action?pageId=46501894&originalVersion=5&revisedVersion=15

 

 

Summary of changes:

 

·         Cookbook 3 Approach and Overview of Findings

o   Added reference to “strong protection” requirements (beyond just “Protected Channels”).

·         Cookbook 4.1.2 and 4.1.2: Interpretation of IAP 4.2.3.4 and 4.2.3.6.1

o   Added language that calls out that IdMS Operations accounts are subject to these requirements (via reference to IAP 4.2.8.2.2)

·         Cookbook 4.2.1 Problem Statement (under “Securing Authentication Traffic”)

o   Munged the language around to (try to) say that “strong protection” is required and that “Protected Channels” are given as an example of strong protection. (Removed language that indicated that Protected Channels were required).

o   Updated final note to refer to 800-63-2 (instead of 800-63-1) and replaced “impractical to break” with “strong protection” in some cases. (Response to Warren Anderson’s comments).

·         Cookbook 4.2.3: Interpretation of IAP 4.2.3.6.2

o   Added point that this requirement is specific to Network Transmission of secrets.

o   Removed incorrect references to IAP 4.2.3.6.3.

o   Reworded the second note to clean up confusing language (unrelated to recent edits).

·         Cookbook 4.2.4: Interpretation of IAP 4.2.3.6.3

o   Reworded section to give our updated interpretation, while calling out that it is explicitly out of scope for the cookbook.

·         Cookbook 4.2.5 and 4.2.6: Interpretation of IAP 4.2.5.1/2

o   Changed to reflect Tom Barton’s input that IAP 4.2.3.6.2 does not have any specific replay or eavesdropping resistance requirements.

o   Removed reference to IAP 4.2.3.6.3

·         Cookbook 5.2.2 and 5.2.3: Recommendations for meeting IAP 4.2.3.6.2/3

o   Removed section heading for IAP 4.2.3.6.3 and merged in its content to the section for IAP 4.2.3.6.2 (since per Tom’s clarification, all network transmission cases are addressed in the .2 section)

o   Added language from David’s email calling out the main points we want to get across in the face of the new interpretations.

·         Cookbook 7.3 and 7.4: Sample Management Assertions for IAP 4.2.3.6.2/3

o   Again, merged all content into the IAP 4.2.3.6.2 section and removed the IAP 4.2.3.6.3 section.

 

One thing I have not done that we kind of discussed is to go through and ensure I have put the letters “IAP” in front of all section references that refer to the actual IAP.

 

--- Eric

 

 

 

From: [mailto:] On Behalf Of Eric Goodman
Sent: Friday, April 04, 2014 8:32 AM
To:
Subject: [AD-Assurance] AD Cookbook

 

I haven’t had a chance yet to make the edits we’ve discussed. I’ll go ahead and do those later today, and will send out a notice when done.

 

Do we have a reason to meet this morning(ish)? Or are we good with me just making edits according to the previous discussion? To repeat, the edits I have scheduled (at least prior to a more careful rereading) are listed below (some are duplicates of one another). If everyone’s okay with this, and we’re all just waiting on my edits, I’m not sure we need to take people’s time to actually discuss, but if discussion is warranted I’m happy to be on the call.

 

--- Eric

 

Proposed Action Items:

 

·         Clarification of Protected Channels in IAP 4.2.6.2

o   Look at our categorization of protocols to ensure no language is in conflict with the updated interpretation. (Cookbook 3 and 4.2.1)

o   Clarify IAP 4.2.6.2’s interpretation to match the interpretation. (Cookbook 4.2.3)

o   Determine language around NTLMv1 (Cookbook 3 and 4.2.1)

·         IAP 4.2.6.3 clarification

o   Update the Cookbook to take IAP 4.2.6.3 out of scope of the AD Cookbook (Cookbook 4.2, 4.2.4)

o   Further clarify IAP 4.2.6.2’s interpretation in the Cookbook to also match the clarification (Tom’s interpretation of transmission vs. handling of passwords) here. (Cookbook 4.2.3)

·         IAP silent on NTLMv1?

o   No change here, though the language may already be changed based on Protected Channels in 4.2.6.2, above. (Cookbook 3, 4.2.1, 4.2.3)