InCommon Silver With Active Directory Domain Services Cookbook call
February 16th, 2012
Note-takers: Keith Brautigam, Nick Roy
Attendance: UW-Milwaukee: Mark Rank, Chris Spadanuda; University of Iowa: Nick Roy, Keith Brautigam; Carnegie Mellon University: Russell Yount;
University of Florida: Warren Curry; University of Chicago: Ron Thielen, Cynthia Hazelton; Texas A&M: Susan Neitsch; Microsoft: Larry Gilreath; Internet2/InCommon/Michigan Tech: Ann West
Agenda: discuss changes to cookbook from public review period.
Discussion of changes to cookbook from public review period, mostly in the introduction, some cleanup of eavesdropper and replay attack mitigation sections, added clarity on LMHASH invalidation via password change, added clarity around necessity to mitigate LDAP binds in the clear. Added a changelog - Russell suggests moving to the end of the document, Nick will do.
General agreement that the changes are fine, with additional changes as noted.
Mark Rank: One detail, you use AD and Active Directory interchangeably, might want to consider using Active Directory in the introduction, then just AD throughout the rest of the document.
Nick Roy: Will do that, get revisions to the assurance list for comment.
Larry Gilreath: Should consider using Active Directory Domain Services, that's the official name for the product going forward.
Nick Roy: Any objections to using Active Directory Domain Services and AD DS throughout the document?
Russell Yount: That makes sense
Cynthia Hazelton: It might be confusing that AD-DS came out in 2008, but the cookbook covers 2008/2003
Nick Roy: Actually it's scoped to just 2008.
Cynthia Hazelton: OK, It will be good to match naming with Microsoft then.
Nick Roy: will make those changes.
Warren Curry: asked Iain Moffat and James Oulman, AD experts at UF, for feedback - they have been working with it with success, using it since last summer.
Nick Roy: OK, thanks, and I'd like to encourage implementers to submit case studies to the assurance wiki, there are some templates out there for doing that. I'll go ahead and make these changes, and we can ask for any final feedback on the assurance list. Ann, do you have an update on the assurance program you can share?
Ann West: Sure, and thanks for all the work on this.
Planning to release assurance program on the 29th, leap day, will have a webinar on that day to talk about specifics of submission. Hope to have a basic website out early next week with specifics of the legal agreement, pricing, etc. Will be adding information for auditors and more SP/IdP information as the program progresses. Had a meeting with CIC auditors, also including VT and UF auditors, and UCSB security/auditor guy. Developing a template that auditors can use in assessing compliance and background on Assurance Program for auditors. Plan to have a webinar for auditors to talk about the program after the first certification comes in. Testing- for those of you working on testing, really appreciate that, in the final stages of getting the initial documentation done. UF is evaluating Jim Fox's Shibboleth custom login handler (from U. Washington) to help IdPs with supporting Assurance with Shib. Ann will start coordinating these calls on a monthly basis. Mary Dunker put info on a multi-factor approach to Silver on the wiki and Ann will ask her to present on the next call. Could have a call on the technical considerations and how to set up Shib for Assurance too. If you have ideas on topics, let Ann know.
Nick Roy: Ann, thanks for continuing the calls, that will be a big help to the community.
Ann West: Continuing calls on a monthly basis OK with the group?
Nick Roy: Works for me
Cynthia Hazelton: Good for me
Chris Spadanuda: Yes that works for us
Nick Roy: Thanks everyone, and last, I'd like to put in a plug for March's IAM Online session, you can find out more about that from the InCommon participants and the EDUCAUSE IAM lists in the next few weeks. Ann, me and Mark Rank and Chris Spadanuda will be presenting on the cookbook effort.