Subject: Federated Incident Response
Re: Sirtfi Incident Response: Credential compromise
- From: Tom Barton <>
- Subject: Re: Sirtfi Incident Response: Credential compromise
- Date: Mon, 11 May 2015 17:23:24 -0500
Hi Brett et al.,|
I'm very sorry to have this reply so long after your question.
Short answer: Willingness to notify does belong in the sirtfi doc, ultimately.
Longer answer: The hardest part about trying to build an infrastructure for federated security incident response is that the risks are felt by one party but mitigation and response is tasked to another. That makes it hard for the latter party to see why they should invest in a problem felt by the former party, at first.
The good news is that those latter parties are always glad to be of help managing an incident when they are asked.
So this leads naturally to a two-phase project. In the first phase we pursue a valuable use case that all parties agree is worthwhile and work out all of the details of how one can contact the other, how an SP can contact an IdP to help with what appears to be a compromised account, between any pair of the tens of thousands of SPs and IdPs globally.
In the second phase the focus is on that apparent imbalance between cost and benefit that impedes an IdP org from notifying an SP org proactively when they have had a related credential compromise. Minimize the circumstances in which that is actually a valuable thing to do and make it as painless as possible, but finally set the bar and help the community to determine that it should clear it.
I think this is best approached as two phases rather than one, because two smaller steps are more likely to succeed than one big step.
I've been working with a couple of colleagues over the last couple of weeks on a work plan to achieve operational federated security incident response. It mirrors these two phases for essentially the reasons stated. Several of the right parties and organizations are now engaged with this problem and have it prioritized and resourced, including REFEDS, the Geant AARC project, and InCommon. So I'm hopeful that we will actually make some progress on this problem.
On 4/6/2015 9:21 AM, Brett Bieber wrote:
- Re: Sirtfi Incident Response: Credential compromise, Tom Barton, 05/11/2015
- RE: Sirtfi Incident Response: Credential compromise, Wessel, Keith, 05/12/2015
- Message not available
- Re: Sirtfi Incident Response: Credential compromise, Brett Bieber, 05/12/2015
Archive powered by MHonArc 2.6.16.