assurance - Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference
Subject: Assurance
List archive
- From: Tom Scavo <>
- To:
- Subject: Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference
- Date: Fri, 20 Jul 2012 16:11:15 -0400 (EDT)
>> I would caution you from heading down the path of becoming
>> prescriptive. We worked very hard to remove such requirements
>> recognizing the diversity of our environments.
>
> Absolutely. :-) But something like "you should do something safe
> with your SAML signing keys" might be good to have included by
> reference somewhere.
Something by reference would be okay (https://spaces.internet2.edu/x/E43NAQ),
but I think a strong positive, non-prescriptive statement is warranted in
this case. The importance of the IdP's private signing key can not be
overstated. It trumps everything else.
To avoid having to modify the IAP yet again, what if we incorporated this
directly into the boarding process for all certified IdPs? We might, for
example, ask a to-be-certified IdP to generate a new private signing key and
migrate the corresponding public key certificate into metadata. Does that
seem reasonable?
We already have a policy that states IdPs "SHOULD generate a new private key
and submit a certificate with a new public key every 3 years."
(https://spaces.internet2.edu/x/boY0). Enforcing this policy at the time of
certification doesn't seem too unreasonable. What do others think?
Tom
- [Assurance] Information Security Guide to InCommon IAP Cross Reference, Dunker, Mary, 07/18/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Tom Scavo, 07/18/2012
- RE: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Dunker, Mary, 07/18/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Tom Scavo, 07/18/2012
- RE: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Dunker, Mary, 07/18/2012
- RE: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Roy, Nicholas S, 07/18/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Renee Shuey, 07/18/2012
- RE: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Roy, Nicholas S, 07/20/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Tom Scavo, 07/20/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Cantor, Scott, 07/20/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Ian Young, 07/20/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Cantor, Scott, 07/20/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Tom Scavo, 07/22/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Cantor, Scott, 07/23/2012
- RE: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Roy, Nicholas S, 07/20/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Renee Shuey, 07/18/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Tom Scavo, 07/18/2012
- RE: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Dunker, Mary, 07/18/2012
- Re: [Assurance] Information Security Guide to InCommon IAP Cross Reference, Tom Scavo, 07/18/2012
Archive powered by MHonArc 2.6.16.