Skip to Content.
Sympa Menu

assurance - RE: [Assurance] dept's leveraging central authentication systems ....

Subject: Assurance

List archive

RE: [Assurance] dept's leveraging central authentication systems ....


Chronological Thread 
  • From: "Jones, Mark B" <>
  • To: "" <>
  • Subject: RE: [Assurance] dept's leveraging central authentication systems ....
  • Date: Mon, 20 Aug 2012 10:37:42 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

The way I read this the concern is more likely the possibility of passwords
passing through third party applications. I take "non-IdP" to be anything
that does not authenticate via the IdP. So any application or service you
have integrated with your directory like mail or your ERP could qualify.

We have had some requests integrate third party applications that are not on
our network with our directory. In all cases where the application/service
present the user a login prompt the password passes through the application
in clear text at which point the application has the opportunity to mishandle
the username and password. For instance we have seen third party apps write
the username and clear text password to their log.

So I think the issue here would mainly be cases where the clear text password
leaves the confines of a properly administered network such as in the case of
a directory integrated application hosted off network by a third party (which
I don't recommend btw).

-----Original Message-----
From:


[mailto:]
On Behalf Of Ann West
Sent: Monday, August 20, 2012 9:36 AM
To:

Subject: Re: [Assurance] dept's leveraging central authentication systems ....

Hi Steven,

I suggest you join an Assurance monthly call and we can talk there about
this. However...

This sentence kinda confused me but I think I know where you're going "and I
have been interpreting "appropriate" to mean "the same as all the policies
and procedures relevant to our IDP infrastructure." I think the answer is
that you are correct.

If you have services using your silver credential, they should conform to the
Silver spec so the credential is not compromised. Look at the trust model
diagram on page 4 of the IAAF and you'll see non-IdP Apps within the scope
(shaded area) of the IAP implementation for that reason.

I think this is one reason why many schools are layering on two-factor and
using that for Silver-only apps, but I'm sure others can comment further.

A

----- Original Message -----
> I'm writing to ask whether I'm "over-interpreting" a section of the
> Silver profile.
>
> Section 4.3.6, #3 states:
>
> > If Authentication Secrets used by the IdP (or the IdP’s Verifier)
> > are exposed in a transient fashion to non-IdP applications (for
> > example, when users sign on to those applications using these
> > Credentials), the IdPO must have appropriate policies and procedures
> > in place to minimize risk from this exposure.
>
> I've been interpreting this to mean ....
>
> -- if a campus believes that its password-based mechanisms are silver
> compliant....
>
> -- if there are machines or services where the password of a
> silver-certified user passes through those services in plaintext form
>
> -- then the campus MUST have "appropriate policies and procedures in
> place to minimize risk from this exposure"
>
> -- and I have been interpreting "appropriate" to mean "the same as all
> the policies and procedures relevant to our IDP infrastructure".
> Equivalent would also probably work here, but I don't want to start
> down that slippery slope just yet.
>
> An easy example of this situation is a dept web server with some
> protected content that is authenticating against the central ldap
> server.
>
> My question is -- am I using too strict a definition of "appropriate"
> ?
>
> What are others in this same situation doing ?
>
> Thanks!
>



Archive powered by MHonArc 2.6.16.

Top of Page