Assurance

[Tom Scavo <>]

> In simplifying Bronze to succinctly support the FICAM LoA1 Profile
> requirements, we pulled the essential pieces from 4.2.3.4 and
> 4.2.3.5 and created a new 4.2.3.5 that's Bronze only.
> 
> It reads:
> 1. Authentication Secrets shall not be stored as plaintext. Access to
> stored Secrets and to plaintext copies shall be protected by
> discretionary access controls that limit access to administrators
> and applications that require access.
> 2. Plaintext passwords or Secrets shall not be transmitted across a
> network.

Yes, indeed, thanks for the clarification. I should have read the surrounding 
context in the IAP more closely.

IMO, ALL IdPs in the InCommon Federation should follow the advice in the new 
section 4.2.3.5. (There are other requirements in the IAP that rise to this 
level of importance, I'm mentioning stored passwords today in light of recent 
incidents in the news.)

Tom

> ----- Original Message -----
> > In moving from version 1.1 to 1.2 of the Identity Assurance
> > Profiles,
> > section 4.2.3.4 (Stored Authentication Secrets) was deemphasized,
> > that is, the requirements of that section now only apply to Silver.
> > I'm wondering why this was done? It seems that ALL IdPs should
> > minimally protect their passwords stores since federated password
> > stores, in particular, are very attractive targets.