AD-Assurance Notes from November 22
Jeff Capehart, UFL
Eric Goodman, UCOP
David Walker, Internet2/InCommon
December 6 at Noon ET
- Review of comments received during Identity Week
- Review of where we are and what needs to happen next.
- No call next Friday. Happy Thanksgiving!
- Eric will revise the document according to the discussion on November 8, 2013. We will review the edits in our next call on December 6.
- Comments during an ACAMP session about the Cookbook tended to be very positive, although more than one reader said it made him "fell sick," because of the vulnerabilities in AD and how many of them are still allowed by Silver. The point, of course, is that Silver merely establishes minimum requirements for compliance. Each campus should be doing its own security assessment and mitigation, which will likely be more comprehensive than the authentication-related issues in the Cookbook.
- Issues note really related to AD
- Scott Koranda will be working with Ann to establish a group to look at Silver-related issues for MIT Kerberos.
- Eduroam may present issues for Silver certification.
- If there is a separate credential store to support it, then appropriate measures must be taken.
- This is a non-IdP use of a verifier, so doesn't absolutely require protected channels, but we believe that Radius may very well be configurable to use protected channels for eduroam.