Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Reminder: AD Silver Cookbook: Release Candidate

Subject: Assurance

List archive

Re: [Assurance] Reminder: AD Silver Cookbook: Release Candidate


Chronological Thread 
  • From: Warren Anderson <>
  • To:
  • Subject: Re: [Assurance] Reminder: AD Silver Cookbook: Release Candidate
  • Date: Fri, 31 Jan 2014 10:45:44 -0600

Hi All,

I'm sorry to be coming in at the 11th hour here - I'm still coming up to
speed on IAP issues. I also have never administered or even used (to my
knowledge) and AD system, and don't really understand the details of how they
work. So, given that, please excuse me if I'm being naive and take this as an
opportunity to educate me.

I have a question regarding 4.2.5 and 4.2.6. In those sections there are
highlighted phrases that restrict the consideration of secure communications
as part of the IdP authentication/assertion event. There are accompanying
statements that all other traffic between the Subject and the AD DS is beyond
scope. Can I interpret that statement to imply that it is known that there is
no practical way to leverage replay or eavesdropper attacks on non-IdP
authentication events between the Subject and an AD DS to create an
authentication event via the IdP? For instance, what if I highjacked a
password change session with the AD DS? Or if I highjacked an authentication
session that allowed access to a webmail system where password reset links
are sent. Or similar sorts of escalation strategies? Is it implied in the
cookbook that none of these sorts of things can happen within the context of
AD? Or is there an implicit statement that these sorts of vulnerabilities
should be beyond the scope of the IAP for Silver? If the latter, as an SP
operator I would really downgrade my current view of what I would accept
Silver for.

Again, sorry if I'm missing the point here.

Warren

+================[ WARREN G. ANDERSON ]====================+
| PO Box 413, Dept. of Physics, Milwaukee, WI 53201, USA |
| CANADA: (403) 617 6720 USA: (414) 212 5446 |
+==========================================================+

On Jan 28, 2014, at 16:14 , Ann West
<>
wrote:

> Just a reminder that comments on the AD Silver Cookbook are due COB
> tomorrow January 29.
>
> Due to popular demand (and the fact that I didn't send this reminder until
> today), we'll extend it to Friday January 31 COB.
>
> See links and relevant information below.
>
> Best,
> Ann
> -------
> Ann West
> Assistant Director,
> InCommon Assurance and Community
> Internet2 based at Michigan Tech
>
>
> office: +1.906.487.1726
> Come visit the new internet2.edu!
>
> On 1/15/14 9:54 PM, "Ann West"
> <>
> wrote:
>
> Dear Colleagues,
>
> The Release Candidate of the InCommon Silver with Active Directory Domain
> Services Cookbook – RC15012014 is now available for review at
> https://spaces.internet2.edu/x/coW8Ag . Comments are due by 29 January 2015
> for incorporation into the final document.
>
> For questions or comments, please forward them to
> .
>
> Best regards,
> Ann
> ---
> Ann West
> Assistant Director,
> InCommon Assurance and Community
> Internet2 based at Michigan Tech
>
>
> office: +1.906.487.1726
> Come visit the new internet2.edu!
>
>
+================[ WARREN G. ANDERSON ]====================+
| PO Box 413, Dept. of Physics, Milwaukee, WI 53201, USA |
| CANADA: (403) 617 6720 USA: (414) 212 5446 |
+==========================================================+




Archive powered by MHonArc 2.6.16.

Top of Page