Assurance

["Jones, Mark B" <>]

The way I read this the concern is more likely the possibility of passwords 
passing through third party applications.  I take "non-IdP" to be anything 
that does not authenticate via the IdP.  So any application or service you 
have integrated with your directory like mail or your ERP could qualify.

We have had some requests integrate third party applications that are not on 
our network with our directory.  In all cases where the application/service 
present the user a login prompt the password passes through the application 
in clear text at which point the application has the opportunity to mishandle 
the username and password.  For instance we have seen third party apps write 
the username and clear text password to their log.

So I think the issue here would mainly be cases where the clear text password 
leaves the confines of a properly administered network such as in the case of 
a directory integrated application hosted off network by a third party (which 
I don't recommend btw).

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Ann West
Sent: Monday, August 20, 2012 9:36 AM
To: 

Subject: Re: [Assurance] dept's leveraging central authentication systems ....

Hi Steven,

I suggest you join an Assurance monthly call and we can talk there about 
this. However...

This sentence kinda confused me but I think I know where you're going "and I 
have been interpreting "appropriate" to mean "the same as all the policies 
and procedures relevant to our IDP infrastructure." I think the answer is 
that you are correct.

If you have services using your silver credential, they should conform to the 
Silver spec so the credential is not compromised. Look at the trust model 
diagram on page 4 of the IAAF and you'll see non-IdP Apps within the scope 
(shaded area) of the IAP implementation for that reason.

I think this is one reason why many schools are layering on two-factor and 
using that for Silver-only apps, but I'm sure others can comment further. 

A

----- Original Message -----
> I'm writing to ask whether I'm "over-interpreting" a section of the 
> Silver profile.
> 
> Section 4.3.6, #3 states:
> 
> > If Authentication Secrets used by the IdP (or the IdP’s Verifier) 
> > are exposed in a transient fashion to non-IdP applications (for 
> > example, when users sign on to those applications using these 
> > Credentials), the IdPO must have appropriate policies and procedures 
> > in place to minimize risk from this exposure.
> 
> I've been interpreting this to mean ....
> 
> -- if a campus believes that its password-based mechanisms are silver 
> compliant....
> 
> -- if there are machines or services where the password of a 
> silver-certified user passes through those services in plaintext form
> 
> -- then the campus MUST have "appropriate policies and procedures in 
> place to minimize risk from this exposure"
> 
> -- and I have been interpreting "appropriate" to mean "the same as all 
> the policies and procedures relevant to our IDP infrastructure".
> Equivalent would also probably work here, but I don't want to start 
> down that slippery slope just yet.
> 
> An easy example of this situation is a dept web server with some 
> protected content that is authenticating against the central ldap 
> server.
> 
> My question is -- am I using too strict a definition of "appropriate"
> ?
> 
> What are others in this same situation doing ?
> 
> Thanks!
>