Assurance

[Ann West <>]

Tom,

In simplifying Bronze to succinctly support the FICAM LoA1 Profile 
requirements, we pulled the essential pieces from 4.2.3.4 and 4.2.3.5 and 
created a new 4.2.3.5 that's Bronze only. 

It reads:
1. Authentication Secrets shall not be stored as plaintext. Access to stored 
Secrets and to plaintext copies shall be protected by discretionary access 
controls that limit access to administrators and applications that require 
access.
2. Plaintext passwords or Secrets shall not be transmitted across a network.

Does this help?

Ann



----- Original Message -----
> In moving from version 1.1 to 1.2 of the Identity Assurance Profiles,
> section 4.2.3.4 (Stored Authentication Secrets) was deemphasized,
> that is, the requirements of that section now only apply to Silver.
> I'm wondering why this was done? It seems that ALL IdPs should
> minimally protect their passwords stores since federated password
> stores, in particular, are very attractive targets.
> 
> Tom
>