Assurance

[Warren Anderson <>]

Hi All,

I'm sorry to be coming in at the 11th hour here - I'm still coming up to 
speed on IAP issues. I also have never administered or even used (to my 
knowledge) and AD system, and don't really understand the details of how they 
work. So, given that, please excuse me if I'm being naive and take this as an 
opportunity to educate me.

I have a question regarding 4.2.5 and 4.2.6. In those sections there are 
highlighted phrases that restrict the consideration of secure communications 
as part of the IdP authentication/assertion event. There are accompanying 
statements that all other traffic between the Subject and the AD DS is beyond 
scope. Can I interpret that statement to imply that it is known that there is 
no practical way to leverage replay or eavesdropper attacks on non-IdP 
authentication events between the Subject and an AD DS to create an 
authentication event via the IdP? For instance, what if I highjacked a 
password change session with the AD DS? Or if I highjacked an authentication 
session that allowed access to a webmail system where password reset links 
are sent. Or similar sorts of escalation strategies? Is it implied in the 
cookbook that none of these sorts of things can happen within the context of 
AD? Or is there an implicit statement that these sorts of vulnerabilities 
should be beyond the scope of the IAP for Silver? If the latter, as an SP 
operator I would really downgrade my current view of what I would accept 
Silver for.

Again, sorry if I'm missing the point here.

Warren

+================[ WARREN G. ANDERSON ]====================+
| PO Box 413, Dept. of Physics, Milwaukee, WI 53201, USA   |
|   CANADA: (403) 617 6720          USA: (414) 212 5446    |
+==========================================================+

On Jan 28, 2014, at 16:14 , Ann West 
<>
 wrote:

> Just a reminder that comments on the AD Silver Cookbook are due COB 
> tomorrow January 29. 
> 
> Due to popular demand (and the fact that I didn't send this reminder until 
> today), we'll extend it to Friday January 31 COB.
> 
> See links and relevant information below.
> 
> Best,
> Ann
> -------
> Ann West
> Assistant Director,
> InCommon Assurance and Community
> Internet2 based at Michigan Tech
> 
>  
> office: +1.906.487.1726 
> Come visit the new internet2.edu!
> 
> On 1/15/14 9:54 PM, "Ann West" 
> <>
>  wrote:
> 
> Dear Colleagues,
> 
> The Release Candidate of the InCommon Silver with Active Directory Domain 
> Services Cookbook – RC15012014 is now available for review at 
> https://spaces.internet2.edu/x/coW8Ag . Comments are due by 29 January 2015 
> for incorporation into the final document.
> 
> For questions or comments, please forward them to 
> .
> 
> Best regards,
> Ann 
> ---
> Ann West
> Assistant Director,
> InCommon Assurance and Community
> Internet2 based at Michigan Tech
> 
>  
> office: +1.906.487.1726 
> Come visit the new internet2.edu!
> 
> 
+================[ WARREN G. ANDERSON ]====================+
| PO Box 413, Dept. of Physics, Milwaukee, WI 53201, USA   |
|   CANADA: (403) 617 6720          USA: (414) 212 5446    |
+==========================================================+