AD-Assurance Notes from June 7
Eric Goodman, UCOP
Lee Amenya, UCSD
Mark Rank, UCSF
Erik Coleman, U of IL
Ron Thielen, U of Chicago
David Walker, Internet2/InCommon
Jeff Capehart, UFL
Michael Brogan, UW
Ann West, Internet2/InCommon
June 14 at Noon ET
Last call for changes to Cookbook before Community Review. Update on Microsoft discussion.
New Action Items
- Eric G to update BitLocker section.
- Last call for changes before community review due Thursday June 13 for discussion on our June 14 call.
- Ron will talk to UChicago operations to find out if there are undue hardships with using BitLocker.
- Ron will send AAC AM communication draft to the AD group.
Eric G contacted Nick and asked him to review the Cookbook. Nick had several comments, the most notable being the observation that one should use EFS in conjunction with BitLocker because BitLocker unecrypts the volume at mount time.
[AI] Eric will recast the rationale for the use of BitLocker.
Ron found that BitLocker on Windows 7 decrypt sectors when they're read. The source document didn't mention 2008, however. If we confirm that BitLocker decrypts when read across the target platforms, then we're addressing the requirements. [AI] Ron will talk to UChicago operations to find out if there are undue hardships with using BitLocker.
[AI] Last call for changes before community review due Thursday June 13 for discussion on our June 14 call.
Implementers call - Eric G
Eric provided an update about the AD Assurance work on this month's Assurance Implementers call.
Comments on the call were:
- What elements of the AD Cookbook would apply to MIT Kerberos? What guidance can folks take and apply directly?
- SHA-1 is only Approved Algorithm by the end of 2013 for TLS.
Monitor and Mitigate Endorsement
[AI] Ron will draft communication to AAC and send to the AD group.