Skip to Content.
Sympa Menu

assurance - RE: [Assurance] last question

Subject: Assurance

List archive

RE: [Assurance] last question


Chronological Thread 
  • From: Lisa Campeau <>
  • To: "" <>
  • Subject: RE: [Assurance] last question
  • Date: Mon, 12 Nov 2012 20:20:20 +0000
  • Accept-language: en-US

And what if it's just potential compromise? And the personnel may or may not
have the id needed with them? Just trying to throw some real scenarios into
how to make this work in a situation we could face, and be ready for it.

- Lisa

-----Original Message-----
From:


[mailto:]
On Behalf Of Lisa Campeau
Sent: Monday, November 12, 2012 3:10 PM
To:

Subject: RE: [Assurance] last question

So, how does this work out for you in actual practice in a university
setting?

For instance, a compromise of several dozen faculty members. Do you send out
a team to re-silver-credential? What about a bigger compromise, say several
hundred?

-----Original Message-----
From:


[mailto:]
On Behalf Of Jones, Mark B
Sent: Monday, November 12, 2012 2:28 PM
To:

Subject: RE: [Assurance] last question

My opinion is that a 'reset' password should be issued with the same
procedure as the 'initial' password. This may be the same point Tom was
making.

If a password needs to be reset, what you are saying is that the person that
owns the account is no longer in control of the account. This is the same
state as when the account was new and the owner did not yet know the password.

-----Original Message-----
From:


[mailto:]
On Behalf Of Tom Scavo
Sent: Monday, November 12, 2012 1:21 PM
To:

Subject: Re: [Assurance] last question



> If a Silver credential is compromised, can or should it be reset using
> the compromised credential

If a credential is compromised, it needs to be revoked ASAP, that is, it
should no longer be recognized as a valid authenticator.

> and/ or by answering security questions?

I don't believe the IAP gives guidance in the area of password reset (which
is what I think you're asking about) so let me give my opinion FWIW. A
password is only as strong as the password reset mechanism that goes along
with it. Recent events on the open Internet have clearly demonstrated that
the Bad Guy, when confronted with a strong authenticator, turns his/her
attention to the password reset process using social engineering tactics.

Tom



Archive powered by MHonArc 2.6.16.

Top of Page