AD-Assurance Notes from April 5
David Walker, InCommon/Internet2
Brian Arkills, UWash
Michael Brogan, UWash
Jeff Capehart, UFL
Ron Thielen, UChicago
Joe Streeter, UW Madison
Eric Coleman, University of Illinois
Jeff Whitworth, UNC-Greensboro
Mark Rank, UCSF
Ann West, InCommon/Internet2
April 12 at Noon ET
Agenda: Updates to AIs and finish off first pass through of matrix.
Determine if there will be sufficient attendance to hold April 19 call.
- Michael to update the matrix to reflect LDAP (SSL/TLS), Kerberos and protected channels guidance by citing it once in the matrix and using footnotes where later applicable.
- Jeff W will update 22.214.171.124.
- Brian will update 126.96.36.199.
- Do we want to compare Kerberos5 with MS AD Kerb?
- Should review the matrix with an eye to our two use cases highlighted in the scoping doc: AD as a verifier and AD as a provisioned copy of the credentials but not acting as the IdP's verifier.
Cookbook Todo List
Add guidance about methods to prevent transient password exposure.
The subgroup will be meeting with NASA on April 17th. What should be the focus of the conversation: Do they support LoA 2 or higher with AD? If so how?
March 29 notes approved.
Action Item Updates
David's AM Abstract - InC AM process is meant to address alternative ways of meeting the specific criterion of the IAP--- one can't submit a general AM that covers multiple criteria. Need an AM proposal for the specific item, but we can introduce this notion of checking for non-compliant behavior and acting on it in a timely manner when found as a general strategy.
Michael's updates re: LDAP (SSL/TLS), Kerberos and protected channels - This information will be duplicated across the table. How should we document it? Add a footnote to the cell in which it first appears and then refer footnote in subsequent cells. M to update the table to reflect this approach for these topics.
ALL - We need to review the matrix with an eye to our two use cases highlighted in the scoping doc: AD as a verifier and AD as a provisioned copy of the credentials but not acting as the IdP's verifier.
188.8.131.52 - Resist Replay Attack - This is a passive listening attack where the bad guy is just replaying a hash or another credential as-is to access the target. This doesn't give you anything to make an identity assertion. Where AD fits into IdMS and IdP is really important: If it acts as a verifier for the IdP or is storing the same password that the IdP verifier uses, then there are issues. Otherwise, it doesn't apply and there are no gaps.
AI - Brian will update this section.
184.108.40.206 - Resist Eavesdropper Attack - This active attack involves capturing the credential, decrypting it, and using it to gain access. Eavesdropping on one-time used token (Kerberos) is lower risk than a multiple-use password. Kerberos by the use of tickets is not vulnerable to eavesdropper attack. AI - All - Do we want to compare Kerberos5 with MS AD Kerb?
Discussed the term impractical defined in 800-63: requires password that takes at least 2^80 cryptographic operations to crack it. 13 character password is 2^85.
AI - Jeff W. will update this section.