assurance - RE: [Assurance] OpenAFS - AD
Subject: Assurance
List archive
- From: "Roy, Nicholas S" <>
- To: "" <>
- Subject: RE: [Assurance] OpenAFS - AD
- Date: Wed, 18 Jan 2012 23:19:15 +0000
- Accept-language: en-US
Hi Chris,
My take on it is that the acceptability of using DES to encrypt passwords for
credentials you plan to use for Silver is up to your interpretation of the
term "industry standard algorithm" in the IAP document. Version 1.1 of the
IAP uses this language when discussing acceptable encryption algorithms.
Version 1.0 of the document refers to algorithms that are "FIPS recommended
or NIST approved," which I don't believe allows DES, but I could be wrong.
In any case, you're probably better off assessing it against version 1.1 of
the IAP document, but you might want to talk to your auditor about their
interpretation of "industry standard" in this context.
Nick
-----Original Message-----
From:
[mailto:]
On Behalf Of Christopher A Spadanuda
Sent: Wednesday, January 18, 2012 4:03 PM
To:
Subject: [Assurance] OpenAFS - AD
Hi All,
We are working with a faculty member on campus who uses OpenAFS for one of
his courses. OpenAFS only supports DES encryption. The faculty member would
like use Active Directory for Authentication. Our AD is currently Windows
2008 R2. By default DES is not enabled.
If we set the Domain Controller Group Policy Object to specifically allow DES
encryption on the DC's and then allow DES on the Keberos service principal in
AD are we going to create a situation which makes silver assurance difficult
or impossible?
While the cookbook talks about DES encryption in relationship to LM
passwords, I don't believe that it addresses this specific use case. Unless
of course I am missing something.
Thanks,
Chris
___________________________________________________
Chris Spadanuda, Middleware and Identity Management Group Manager
University Information Technology Services
University of Wisconsin–Milwaukee
Office Phone: 414 229-5832 | E-mail:
Cell Phone: 414 507-4761
>>
- [Assurance] OpenAFS - AD, Christopher A Spadanuda, 01/18/2012
- RE: [Assurance] OpenAFS - AD, Roy, Nicholas S, 01/18/2012
Archive powered by MHonArc 2.6.16.