InCommon Technical Discussions

["Cantor, Scott" <>]

On 11/8/17, 4:58 PM, "Nick Roy" 
<>
 wrote:

> We think errorURL should be included as well, but since it was not part
> of the 'required' elements that AAC specified (AAC assumed errorURL was
> part of the mdui: information, and it is not) that means this would have
> to go back to ACC to make errorURL a separate required element.

Maybe the better question is the one I've been asking a lot: when can we go 
back and start working on the next set of rules?

> - Achieve a grade of A on the Qualys SSL scanner [1]

I guess in my mind it's more interesting to tag systems with the grade we 
find then get into rules about what the grade should be unless they're actual 
rules. If I care, I should be able to filter on those grades, but just 
knowing "we'd like it to be an A but it's not a requirement" doesn't really 
get me anything useful that I can think of.

I guess the point is "SHOULDs" never help much. Same as with profiles.

If we don't require something, I'd rather have a tag with the actual answer 
either so I can report on it to my security people, or to limit who I allow 
to use my system. Is it a huge value-add for InCommon to do SSL probes? I 
dunno. I know it's something I probably wouldn't do myself.

-- Scott