Skip to Content.
Sympa Menu

assurance - Re: [Assurance] stored authentication secrets

Subject: Assurance

List archive

Re: [Assurance] stored authentication secrets


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: Re: [Assurance] stored authentication secrets
  • Date: Fri, 29 Jun 2012 09:18:13 -0400 (EDT)



> In simplifying Bronze to succinctly support the FICAM LoA1 Profile
> requirements, we pulled the essential pieces from 4.2.3.4 and
> 4.2.3.5 and created a new 4.2.3.5 that's Bronze only.
>
> It reads:
> 1. Authentication Secrets shall not be stored as plaintext. Access to
> stored Secrets and to plaintext copies shall be protected by
> discretionary access controls that limit access to administrators
> and applications that require access.
> 2. Plaintext passwords or Secrets shall not be transmitted across a
> network.

Yes, indeed, thanks for the clarification. I should have read the surrounding
context in the IAP more closely.

IMO, ALL IdPs in the InCommon Federation should follow the advice in the new
section 4.2.3.5. (There are other requirements in the IAP that rise to this
level of importance, I'm mentioning stored passwords today in light of recent
incidents in the news.)

Tom

> ----- Original Message -----
> > In moving from version 1.1 to 1.2 of the Identity Assurance
> > Profiles,
> > section 4.2.3.4 (Stored Authentication Secrets) was deemphasized,
> > that is, the requirements of that section now only apply to Silver.
> > I'm wondering why this was done? It seems that ALL IdPs should
> > minimally protect their passwords stores since federated password
> > stores, in particular, are very attractive targets.



Archive powered by MHonArc 2.6.16.

Top of Page