Assurance

["Jones, Mark B" <>]

To me all this means is that you have in place a policy and supporting 
procedures of using HTTPS/LDAPS as opposed to HTTP/LDAP or some similar 
secure protocol if the application communicates the password across the 
network and that applications do not store, log, or display the password in 
any way.

I don't think this section imposes any requirements that are not already a 
common sense practice.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Steven Carmody
Sent: Thursday, August 16, 2012 2:46 PM
To: 

Subject: [Assurance] dept's leveraging central authentication systems ....

I'm writing to ask whether I'm "over-interpreting" a section of the Silver 
profile.

Section 4.3.6, #3 states:

> If Authentication Secrets used by the IdP (or the IdP's Verifier) are 
> exposed in a transient fashion to non-IdP applications (for example, 
> when users sign on to those applications using these Credentials), the 
> IdPO must have appropriate policies and procedures in place to 
> minimize risk from this exposure.

I've been interpreting this to mean ....

-- if a campus believes that its password-based mechanisms are silver 
compliant....

-- if there are machines or services where the password of a silver-certified 
user passes through those services in plaintext form

-- then the campus MUST have "appropriate policies and procedures in place to 
minimize risk from this exposure"

-- and I have been interpreting "appropriate" to mean "the same as all the 
policies and procedures relevant to our IDP infrastructure". 
Equivalent would also probably work here, but I don't want to start down that 
slippery slope just yet.

An easy example of this situation is a dept web server with some protected 
content that is authenticating against the central ldap server.

My question is -- am I using too strict a definition of "appropriate" ?

What are others in this same situation doing ?

Thanks!