Skip to Content.
Sympa Menu

assurance - Re: [Assurance] dept's leveraging central authentication systems ....

Subject: Assurance

List archive

Re: [Assurance] dept's leveraging central authentication systems ....


Chronological Thread 
  • From: Ann West <>
  • To:
  • Subject: Re: [Assurance] dept's leveraging central authentication systems ....
  • Date: Mon, 20 Aug 2012 10:36:03 -0400 (EDT)
Hi Steven,

I suggest you join an Assurance monthly call and we can talk there about
this. However...

This sentence kinda confused me but I think I know where you're going "and I
have been interpreting "appropriate" to mean "the same as all the policies
and procedures relevant to our IDP infrastructure." I think the answer is
that you are correct.

If you have services using your silver credential, they should conform to the
Silver spec so the credential is not compromised. Look at the trust model
diagram on page 4 of the IAAF and you'll see non-IdP Apps within the scope
(shaded area) of the IAP implementation for that reason.

I think this is one reason why many schools are layering on two-factor and
using that for Silver-only apps, but I'm sure others can comment further.

A

----- Original Message -----
> I'm writing to ask whether I'm "over-interpreting" a section of the
> Silver profile.
>
> Section 4.3.6, #3 states:
>
> > If Authentication Secrets used by the IdP (or the IdP’s Verifier)
> > are
> > exposed in a transient fashion to non-IdP applications (for
> > example,
> > when users sign on to those applications using these Credentials),
> > the IdPO must have appropriate policies and procedures in place to
> > minimize risk from this exposure.
>
> I've been interpreting this to mean ....
>
> -- if a campus believes that its password-based mechanisms are silver
> compliant....
>
> -- if there are machines or services where the password of a
> silver-certified user passes through those services in plaintext form
>
> -- then the campus MUST have "appropriate policies and procedures in
> place to minimize risk from this exposure"
>
> -- and I have been interpreting "appropriate" to mean "the same as
> all
> the policies and procedures relevant to our IDP infrastructure".
> Equivalent would also probably work here, but I don't want to start
> down
> that slippery slope just yet.
>
> An easy example of this situation is a dept web server with some
> protected content that is authenticating against the central ldap
> server.
>
> My question is -- am I using too strict a definition of "appropriate"
> ?
>
> What are others in this same situation doing ?
>
> Thanks!
>

Archive powered by MHonArc 2.6.16.

Top of Page