assurance - RE: [Assurance] silver, 2-factor, password requirements
Subject: Assurance
List archive
- From: "Jones, Mark B" <>
- To: "" <>
- Subject: RE: [Assurance] silver, 2-factor, password requirements
- Date: Fri, 30 Nov 2012 10:07:18 -0600
- Accept-language: en-US
- Acceptlanguage: en-US
In the NIST standard only LoA 1 does not require identity proofing. 2FA is a
feature if levels 3 and 4. To define a profile that requires 2FA and no
identity proofing and to not "stop at just the NIST levels" is a departure
from the NIST standard.
How many profiles are we going to support? There are currently 959 SPs. If
we are not going to follow a standard then perhaps we will be supporting a
profile per SP?
-----Original Message-----
From:
[mailto:]
On Behalf Of Farmer, Jacob
Sent: Friday, November 30, 2012 8:20 AM
To:
<>
Cc:
Subject: Re: [Assurance] silver, 2-factor, password requirements
I don't think they are veering away from the standard.
The SP made a risk AND business assessment, I think (although I may be
putting words in Toms mouth).
From a business perspective, Silver is only deployed at one site. My guess
is they can move much more quickly if they don't wait for broader silver
adoption.
From a technical perspective, they decided they need multifactor and don't
care about identity proofing, so Silver doesn't fit anyway.
I think this is exactly what we want SPs to do. It saves both parties time
-- it saves the IdP from vetting users for Silver who don't really need it,
and it provides the SP with the flexibility to target the things they think
are really important.
If enough share Tom's use case, maybe InC needs a third profile? I have
always assumed we don't stop at just the NIST levels.
Jacob
=========================
Jacob Farmer
Identity Management Systems
(812) 856-0186
On Nov 30, 2012, at 9:11 AM, "Jones, Mark B"
<>
wrote:
> There is no level 3 InCommon LoA and bronze/silver are essentially the same
> as NIST 1 & 2. Why veer away from the standard at level 3?
>
> Sent from my iPhone
>
> On Nov 30, 2012, at 7:47 AM, "Michael R. Gettes"
> <>
> wrote:
>
>> We are InCommon. We should be embracing InCommon LoA.
>>
>> /mrg
>>
>> On Nov 29, 2012, at 23:00, "Jones, Mark B"
>> <>
>> wrote:
>>
>>> So it sounds like you have determined that NIST LoA 2 / Silver is not
>>> sufficient, but you seem reluctant to fully embrace LoA 3.
>>>
>>> The risk assessment seems to closely follow NIST guidance. Why not
>>> embrace LoA 3 as defined by 800-63?
>>>
>>> -----Original Message-----
>>> From:
>>>
>>>
>>> [mailto:]
>>> On Behalf Of Tom Scavo
>>> Sent: Thursday, November 29, 2012 9:39 PM
>>> To:
>>>
>>> Subject: Re: [Assurance] silver, 2-factor, password requirements
>>>
>>>
>>>
>>>> The risk assessment concludes that the "Federation Manager is a
>>>> moderate-impact system" and it references the "Potential Impact
>>>> Categories for Authentication Errors" table from OMB M-04-04, but
>>>> does not say which LoA was identified. It looks to me that
>>>> "moderate-impact" could land it in LoA 2 or LoA 3 depending on
>>>> which risk categories earned the system as a whole the
>>>> moderate-impact designation. Did a "required LoA" result from this risk
>>>> assessment?
>>>
>>> Thanks for reading through this, Mark. There are probably as many
>>> interpretations of the risk assessment as there are readers. That said,
>>> focus for a moment on the first row in the table where the impact level
>>> is "equal to the impact level of the IdP's highest assurance profile." In
>>> other words, the entire trust fabric of the Federation depends on the
>>> integrity of the IdP signing certificates in metadata. Doesn't matter how
>>> much effort participants put into their IdP deployments, if a bad guy can
>>> impersonate one of your site admins, it's game over.
>>>
>>> I conclude from that simple analysis that we not only need two-factor
>>> authentication but we also need other compensating controls as well, at
>>> least for high-risk elements in metadata (such as IdP certificates and
>>> endpoints).
>>>
>>> Tom
>>
- RE: [Assurance] silver, 2-factor, password requirements, (continued)
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Farmer, Jacob, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Dennis Skovsted, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Tom Scavo, 11/29/2012
- RE: [Assurance] silver, 2-factor, password requirements, Dunker, Mary, 11/30/2012
Archive powered by MHonArc 2.6.16.