November 30, 2011 InCommon Silver with AD Conference Call Notes
Note taker: Mark Rank, UW-Milwaukee
Attendance
Russell Yount (Carnegie Mellon), Nick Roy, Keith Brautigam (U. Iowa), Susan Neitsch (Texas A&M), Tom Callaci (UW-Madison), Ann West (InCommon/Internet2/Michigan Tech), Dan ? (Cal Poly San Luis Obispo), Ken Rowe (U. Illinois), Ron Thielen (U. Chicago), Carl Heins (UC Santa Barbara), Mark Rank, Chris Spadanuda et. Al (UW-Milwaukee)
Action Items
-Nick will drop wording in 4.2.5.2 sample management assertions re: missing paragraph
-Nick will add a link to the Assurance FAQ to the cookbook.
-Nick/Ann will define a parallel place for implementation stories. Ann will bounce ideas for this off the participants or assurance list.
-Nick will draft a note to the InC participants list re: the public comment period and run it by Ann/the group for feedback.
-Russell will add language about MSCHAPv2/RADIUS back into the cookbook.
-Nick will send a Doodle poll for a Mid-January meeting out to the list
-Nick will poll the Assurance list to see if there are any remaining changes to the cookbook
-Ann will request for comments from TAC before the public review period
Nick R.
Brief background on effort for those new to the call. We’re in the home stretch for this effort.
Goals for this call:
-Discuss changes to the cookbook since the last call
-Summary of what’s needed to do to close out the project/removing the “DRAFT” label
-Next steps
Changes since last time
Nick R.
Changed some minor typographical things to standardize
Corrected number of bits of entropy from 10->14 in Appendix F
Cleaned up wording around Kerberos as an acceptable authN protocol in 4.2.5.2 per Russell
Added some notes in places where wording was unclear
Added a placeholder for campus implementation experience – would like to get some experience put here as soon as people are ready to share what their implementation has been like.
Note about mention of reference to other sections in “Sample Management Assertions” section of 4.2.5.2 that does not seem to be relevant- group agreed to drop this reference.
(Russell Y) Should we call out somewhere that InC-Silver is not NIST LoA 2?
(Ann W) Assurance folks will put this in the larger Assurance FAQ and also talk about the relationship between Silver and NIST LoA 2.
(Russell Y / Nick R) – Discussion about mitigating confusion. Would be good to have link to the Assurance FAQ in the cookbook.
Russell Y.
Defined credential revocation and credential issuance in terminology appendix.
Any experience from anyone implementing pieces of the cookbook?
(Russell Y) – Some research on Kerb rate of fail (8/min) and for some common names up to 2/min. Becomes an issue. Subject to DOS types of attack. Need to count failed logins in the aggregate across the credential store domain.
(Tom C) Comments about calculating out frequency and locking out people. Common names are an issue.
(Chris S) UW-M looking at SEM products for this.
(Tom C) Database to handle accounting/aggregating failures.
(Russell Y) Making use of temp suspend to throttle.
(Nick R) Popular name DOS case is an issue. Need to find a way to titrate the level of pain. Use VPN’s. Drop Signal to Noise if you limit outside connections. A lot of this is not AD-specific, perhaps it’s in scope for the Assurance FAQ or other cookbooks?
(Russell Y) Should summarize these issues somewhere.
(Nick R to Ann W) Should we be documenting these?
(Ann W) Possible topics for future cookbooks.
Other Suggestions
(Nick R/Ann W/Mark R) Make implementation stories a child or peer to cookbook.
(Russell Y) RADIUS and MSCHAPv2?
(Nick R) This is an area of concern, it was one of our original areas of concern. Feedback from MS is that MSCHAPv2 is not acceptable as a zero-knowledge-base authN form. This language was originally in the cookbook, perhaps need to add it back in.
(Russell Y) MSCHAPv2 OK as long as it’s tunneled via TLS.
What’s Left?
Goal is to have final draft for Jan group call
Request comments from InC TAC?
After Jan Call, solicit broader comments. “Public Comment Period” (Jan->Feb)
Should there be a set of guidelines in the public comment period for people to talk to on each reviewer’s campus about various details? For instance, auditors, AD implementers, security people, policy people, leadership, etc.
(Ann W) Update on InCommon work. Community work getting wrapped up. Certification process package getting finalized. Outreach webinar in Jan. Testing of assurance “Use Case Zero” completed (VT and UWM). SP’s ok with Use Case Zero for now. Working on Assurance Advisory Committee which will have roles of reviewing certification submissions and guiding program.
(Russell Y) Does InCommon need to meet Silver assurance for their operations? Ann said she’d check with Tom Scavo, but confident that they do need to and are compliant. Silver certification in the metadata is per-entityID.
(Nick R) Does metadata mgmt. interface protect against brute force?
(Ann W) will have to check.
(Carl Hines) Tools for Auditors. Ann needs to regroup on that in Dec.
Presentation or panel discussion at Spring I2?
(Nick R) Asked if group thought a presentation at I2 might be a good idea. No comment from group. Nick will work on abstract. Ann wasn’t sure of deadline for submission, January time-frame probably. Webinar planned for March IAM Online.
(Ann) Might be good to have a targeted webinar during public comment period, as well.
(Nick R / Mark R) Panel discussion might lend itself if some campuses have implementation stories to tell.
No plan for December meeting, will work via e-mail. Will try to schedule next call for mid-January.