Date: Fri, 29 Mar 2024 07:32:33 +0000 (UTC) Message-ID: <847645223.7627.1711697553372@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7626_431410883.1711697553370" ------=_Part_7626_431410883.1711697553370 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
David Walker, InCommon/Internet2
Brian Arkills, UWash
Michael Brogan, UWash
Jeff Capehart, UFL
Ron Thielen, UChicago
Joe Streeter, UW Madison
Eric Coleman, University of Illinois
Jeff Whitworth, UNC-Greensboro
Mark Rank, UCSF
Ann West, InCommon/Internet2
Next Call
April 12 at Noon ET
+1-734-615-7474 PREFERRED
+1-866-411-0013
0195240#
Agenda: Updates to AIs and finish off fi=
rst pass through of matrix.
Determine if there will be sufficient attendance to hold April 19 cal=
l.
- Michael to update the matrix to reflect LDAP (SSL/TLS), Kerberos and p=
rotected channels guidance by citing it once in the matrix and using f=
ootnotes where later applicable.
- Jeff W will update 4.2.5.2.
- Brian will update 4.2.5.1.
Parking Lot
- Do we want to compare Kerberos5 with MS AD Kerb?
- Should review the matrix with an eye to our two use cases highlighted in=
the scoping doc: AD as a verifier and AD as a provisioned copy of the cred=
entials but not acting as the IdP's verifier.
Cookbook Todo List
Add guidance about methods to prevent transient password exposure.
NASA Questions
The subgroup will be meeting with NASA on April 17th. What should be the= focus of the conversation: Do they support LoA 2 or higher with AD? If so = how?
March 29 notes approved.
Action Item Updates
David's AM Abstract - InC AM process is meant to address alternativ= e ways of meeting the specific criterion of the IAP--- one can't submit a g= eneral AM that covers multiple criteria. Need an AM proposal for = the specific item, but we can introduce this notion of checking for non-com= pliant behavior and acting on it in a timely manner when found as a general= strategy.
Michael's updates re: LDAP (SSL/TLS), Kerberos and protected channels - = This information will be duplicated across the table. How should = we document it? Add a footnote to the cell in which it first appears and th= en refer footnote in subsequent cells. M to update the table to reflect thi= s approach for these topics.
Matrix
ALL - We need to review the matrix with an eye to our two use cases high= lighted in the scoping doc: AD as a verifier and AD as a provisioned copy o= f the credentials but not acting as the IdP's verifier.
4.2.5.1 - Resist Replay Attack - This is a passive list= ening attack where the bad guy is just replaying a hash or another credenti= al as-is to access the target. This doesn't give you anything to make = an identity assertion. Where AD fits into IdMS and IdP is really important:= If it acts as a verifier for the IdP or is storing the same password that = the IdP verifier uses, then there are issues. Otherwise, it doesn't apply a= nd there are no gaps.
AI - Brian will update this section.
4.2.5.2 - Resist Eavesdropper Attack - This activ= e attack involves capturing the credential, decrypting it, and using it to = gain access. Eavesdropping on one-time used token (Kerberos) is lower risk = than a multiple-use password. Kerberos by the use of tickets is not&nb= sp;vulnerable to eavesdropper attack. AI - All - Do we want to co= mpare Kerberos5 with MS AD Kerb?
Discussed the term impractical defined in 800-63: requires password that= takes at least 2^80 cryptographic operations to crack it. 13 character pas= sword is 2^85.
AI - Jeff W. will update this section.