AD-Assurance Notes from May 31

Eric Goodman, UCOP
Mark Rank, UCSF
Jeff Capehart, UFL
Jeff Whitworth, UNC-Greensboro
Michael Brogan, UW
Ann West, Internet2/InCommon

Next Call

June 7 at Noon ET
+1-734-615-7474 PREFERRED


Discussion of next iteration of the Cookbook. Final discussion of the Monitor and Mitigate AM and hand over to Ron. 

Action Items

  • Mark to send a note to the group requesting endorsement of the Monitor and Mitigate Alternative Means. 
  • Eric to provide update on progress on the Assurance Implementers Call June 6 at 12:00 pm ET.
  • Eric to contact Nick Roy and invite him to comment before the next call.

Previous Action Items

  • Ericto followup with David re: long term vs. short term authentication secrets.
  • Ron to draft a statement about client caching of credentials via Data Protection API.
  • Ron will look into whether SysKey uses approved algorithms.
  • Eric to follow up on how Kerberos timeskew works
  • Eric to do additional Cookbook edits (see notes, below)



Nick Roy will be joining us on future calls.

Ann/Brian still working on getting Microsoft involvement. Stay tuned.

Eric will provide update on progress on the Assurance Implementers Call June 6 at 12:00 pm ET. 

*Monitor and Mitigate Endorsement - Mark has posted final version to Wiki.
[AI] Mark to send out a request for endorsement of the members of the group. 

Cookbook Discussion

Kerberos and timeskew - remove the current text and add management assertion that says it's good enough: 5 minutes default for MIT and MS. Use that value or fewer minutes.

Pull out statements that are out of scope for AD-DS and keep track in a separate doc. Ann will figure out what to do with those. 

Orgnization: Organize under criteron with repeated info or organize under solution that address multiple critera. For now, keep with the new format. 


Invite Nick to join the next call to talk about updates to Cookbook. Goal is to get Cookbook ready for broader review by end of call on June 14. 

  • No labels