Skip to Content.
Sympa Menu

assurance - Re: [Assurance] stored authentication secrets

Subject: Assurance

List archive

Re: [Assurance] stored authentication secrets


Chronological Thread 
  • From: Ann West <>
  • To:
  • Subject: Re: [Assurance] stored authentication secrets
  • Date: Fri, 29 Jun 2012 09:09:47 -0400 (EDT)

Tom,

In simplifying Bronze to succinctly support the FICAM LoA1 Profile
requirements, we pulled the essential pieces from 4.2.3.4 and 4.2.3.5 and
created a new 4.2.3.5 that's Bronze only.

It reads:
1. Authentication Secrets shall not be stored as plaintext. Access to stored
Secrets and to plaintext copies shall be protected by discretionary access
controls that limit access to administrators and applications that require
access.
2. Plaintext passwords or Secrets shall not be transmitted across a network.

Does this help?

Ann



----- Original Message -----
> In moving from version 1.1 to 1.2 of the Identity Assurance Profiles,
> section 4.2.3.4 (Stored Authentication Secrets) was deemphasized,
> that is, the requirements of that section now only apply to Silver.
> I'm wondering why this was done? It seems that ALL IdPs should
> minimally protect their passwords stores since federated password
> stores, in particular, are very attractive targets.
>
> Tom
>



Archive powered by MHonArc 2.6.16.

Top of Page