assurance - RE: [Assurance] silver, 2-factor, password requirements
Subject: Assurance
List archive
- From: "Jones, Mark B" <>
- To: "" <>
- Subject: RE: [Assurance] silver, 2-factor, password requirements
- Date: Fri, 30 Nov 2012 14:18:57 -0600
- Accept-language: en-US
- Acceptlanguage: en-US
Ok... so if InCommon bears no risk why bother with a risk assessment? And
how did the result come out to be 'moderate'?
If there are two sets of accounts, which set have we been talking about?
I agree that passwords are hopeless. But if you don't care who is
authenticating then why care if they are using passwords?
-----Original Message-----
From:
[mailto:]
On Behalf Of Cantor, Scott
Sent: Friday, November 30, 2012 1:43 PM
To:
Subject: Re: [Assurance] silver, 2-factor, password requirements
On 11/30/12 2:29 PM, "Jones, Mark B"
<>
wrote:
>So is your argument that the data managed in Federation Manager is not
>owned by InCommon and thus InCommon bares none of the risk?
Yes, and I'm fairly sure that InCommon's participation agreement explicitly
outlines that it bears no risk.
>And because of this, are you saying that the member organizations can
>analyze their own risk in isolation and decide for themselves what
>procedure to use to issue credentials to their administrators and thus
>what LoA that credential meets? Doesn't this mean that the Federation
>Manager shouldn't care how administrators authenticate?
I think there are two sets of accounts here, one that InCommon manages and
the delegated ones. I believe that it's InCommon's choice what risk they can
accept in terms of authentication strength for the credentials it's issuing.
On the delegated side, I could be wrong, but I believe that in fact it's
*entirely* true that InCommon doesn't care how they authenticate. I didn't
think we were expecting to require anything in particular for them, and I
don't see anything on the Delegated Admin page that mentions it. So I think
you're dead on.
>If InCommon doesn't care who is authenticating that sounds like Bronze
>to me.
IMHO, passwords are hopeless, and no amount of entropy matters when there are
secret questions in place to reset them. If you want to avoid all that, but
leave out proofing, it's not Bronze. And it's not Silver. So whatever it is,
it's something else.
-- Scott
- Re: [Assurance] silver, 2-factor, password requirements, (continued)
- Re: [Assurance] silver, 2-factor, password requirements, Michael R. Gettes, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Farmer, Jacob, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Tom Barton, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Farmer, Jacob, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Cantor, Scott, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
- Re: [Assurance] silver, 2-factor, password requirements, Dennis Skovsted, 11/30/2012
- RE: [Assurance] silver, 2-factor, password requirements, Jones, Mark B, 11/30/2012
Archive powered by MHonArc 2.6.16.