Skip to Content.
Sympa Menu

technical-discuss - Re: [InC-Technical] InCommon Baseline Expectations Metadata Requirements

Subject: InCommon Technical Discussions

List archive

Re: [InC-Technical] InCommon Baseline Expectations Metadata Requirements


Chronological Thread 
  • From: Rhys Smith <>
  • To: Scott Cantor <>
  • Cc: "" <>
  • Subject: Re: [InC-Technical] InCommon Baseline Expectations Metadata Requirements
  • Date: Wed, 8 Nov 2017 22:53:56 +0000
  • Accept-language: en-GB, en-US
  • Ironport-phdr: 9a23:hWNgLR3UXTclAu4zsmDT+DRfVm0co7zxezQtwd8ZseMTI/ad9pjvdHbS+e9qxAeQG96Ku7Qc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q89pDXYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWpPUNhMWSxdDI2ybIUPAOgGM+ZZoIbyu1QAoACiBQa3AePj1j9IimP00KA8zu8vERvG3AslH98WrHrUrNX0NLwPWu6oyanIzCnDb/NL0jr69IbIchAgoeqWUbxtdMrRyFUvFwPeg1WSqIzlJC+a2v4XvGeH9eZgSOGvhnchpgpsoTav3t8hhpfVio8X0FzJ9jt1zJw2KNGkUkJ3fN2pHZ9Iuy2EK4d6Xt4uTmRntSs41rELvIO3fCYWxJkjwhPSaOCIfomN7x3+SemRLzl1iXdrdb2hmxq9702tyuP9W8WpzFlHqzRKn9bCtn0CzxDT5NaIR/hh8kqk3DuC0wTe5+5eLk0xl6fUNpwsz7E1m5cSvknOETL5lUD2gaOIeEUk9O6l4Pn9bLr8vJ+TLYp0hxn+Mqswnsy/Bvw1PRYTX2SC4uS80aHj/VXgTLpXkPI2lqjZsI7EKsQBpq+1GhJZ34Un5hqlCjem0dEYkmcbI11fYxKHk5LlNE3JIPD9Ffu/glKsnyl3x/3eILHtHpfAImLAnbv/Z7pw6FJQxBAuwd1c459YErQBL+jyWk/1utzYFBg5Mwmszub9CNV81pgeVXiUAq+cMaPSrV+I6/ktI+mNf48apCzxJOI56PL0kH85mkcRfbO10psPdHC4AvNmLl2YYXrqntgBFmIKvg85TOzsklGCViRTZ3mrU6Ig+D40FIKmDYHCRo+xmrOB2D63EYBXZmBdFl+MDGzod56fVvcIaSKSOdNhkicaWbS7So8h0w2uuxHgy7phMOXU5jMUuYj929do+u2A3S01oAd/CNiBm0qESX1zhCtcTDYwwKdl5xZVzUyel6V0nqoLO8ZU4qZzUhYhfaXZzvB6Q4TIWhPaOOyMSUqmatenGjp3R9l33txYMBU1IMmrkh2Wh3niOLQSjbHeQcVsqq8=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
On 8 Nov 2017, at 22:05, Cantor, Scott
<>
wrote:
>
>> - Achieve a grade of A on the Qualys SSL scanner [1]

The problem with that is that it’s a moving target; the SSLLabs requirements
to get a particular grade change over time. It’s not a constant.


> I guess in my mind it's more interesting to tag systems with the grade we
> find then get into rules about what the grade should be unless they're
> actual rules. If I care, I should be able to filter on those grades, but
> just knowing "we'd like it to be an A but it's not a requirement" doesn't
> really get me anything useful that I can think of.

+1 on it being more interesting if it’s either a tag that indicates current
score, or one of the requirements for a “good citizen” tag.


> I guess the point is "SHOULDs" never help much. Same as with profiles.
>
> If we don't require something, I'd rather have a tag with the actual answer
> either so I can report on it to my security people, or to limit who I allow
> to use my system. Is it a huge value-add for InCommon to do SSL probes? I
> dunno. I know it's something I probably wouldn't do myself.

Just so happens I’ve been doing this in bulk on all endpoint hosts in UKf &
edugain MD for about 6 months or so now (with Qualys approval).

So, for anyone interested, the current state of InCommon entities that are
exposed through edugain:

A+ | 90
A | 422
A- | 113
B | 178
C | 119
F | 53
T | 8
Certificate not valid for domain name | 36
IP_ADDRESS_BLACKLISTED | 2
No secure protocols supported | 1
Unable to connect to the server | 44
Unable to resolve domain name | 39
Unexpected failure | 1

Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc

T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.


Archive powered by MHonArc 2.6.19.

Top of Page