Assurance

[Eric Goodman <>]

In general, higher ed (and certainly our institution) doesn't have any good 
way to ensure that all machines are configured to not cache. (And you'd need 
to enforce/audit it on Windows, Mac, Linux, Android, iPhone, etc...)

We basically require any application to show how it will keep the clients 
from caching the credentials before granting access to the password. Some of 
our wireless/VPN services have been able to meet this requirement (e.g., 
client credential caching is controlled or influenced by a server-side 
setting, or other mitigations), and some have not. We have a "lower security" 
password that we sometimes make available to apps that are not able to meet 
this requirement.

--- Eric

On Sep 8, 2011, at 9:58 AM, Cynthia Haselton wrote:
> There are methods for limiting the cache for Windows clients...specifically 
> the cache maintained by the operating system.
> For more information on client credential caching, see this article 
> (2003/XP): http://support.microsoft.com/kb/913485
> 
> 
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Cantor, Scott
> Sent: Thursday, September 08, 2011 9:17 AM
> To: 
> 
> Cc: Russell Yount
> Subject: Re: [Assurance] Has anyone looked at using InCommon Silver 
> accounts to access a secured wireless network?
> 
> On 9/8/11 10:12 AM, "Russell J Yount" 
> <>
>  wrote:
> 
>> The Windows, Mac, and Linux wireless clients are storing the user¹s 
>> password so the wireless client may roam and re-authenticate.  Is this 
>> acceptable in InCommon Silver?
> 
> The cookbook mentions that the issue of clients caching passwords pushes 
> all of the security requirements for password storage that apply to the AD 
> server onto the client.
> 
> -- Scott
> 

Eric Goodman
Identity Management Project
UC Santa Cruz