Versions Compared

Old Version 4

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Ann West, InCommon/Internet2
Mary Dunker, Virginia Tech  
Jim Green, Michigan State University   
Susan Neitsch, Texas A&M   
David Walker, Independent  
David Bantz, University of Alaska
Benn Oshrin, Internet2
Lee Trant, University of Nebraska Medical Center
Brian Arkills, University of Washington
Michael Brogan, U. University of Washington  
Arlene Allen, UCSB
Michael Hodges, University of Hawaii
James Oulman, University of Florida
Joe St Sauver, University of Oregon, Internet2
Shreya Kumar, Michigan Tech University  
David Langenberg, University of Chicago    
Ron Thielen, University of Chicago  
Eric Goodman, University of California
Bry-Ann Yates, University at Albany, SUNY
Colorado State University

DISCUSSION

Assurance Requirements for the IDP

...

Q: In the SP metadata, is there an indication of what assurance level the SP requires?
A: No. The metadata contains an entity tag for the IdP if certified, but not the SP. The SP specifies its required assurance at the start of each session.

Approval of 1.2

Version 1.2 was approved by Incommon Steering on Feb. 11, 2013, and it is now the production spec.  The Assurance website will be updated soon with the new information. Simplifed bronze is now in effect; an audit is no longer needed for bronze and certification is free. Longer term, it's possible that bronze assurance will replace the InCommon IdP Participant Operational Practices (POP).

...

Approved alternative means will be added to the website and will be considered normative.

The AD Silver Issue and 1.2

The issue with 1.2 and Active Directory is around the technologies (MD5 hash) that AD uses for storage of password secrets. There are  doubts that AD could pass the "approved algorithm" bar set in version 1.2, although the alternative means option must be explored to determine this.  While AD makes it possible to enable two-factor authentication, it is not possible to turn off authentication via password. Microsoft has not indicated that they plan to change the way passwords are stored in AD.  

The AAC has determined that a first step is to convene a group to look at AD under alternative means and develop a risk assessment and mitigation strategies using the AD Cookbook as a basis.   Brian, Michael, Eric and Ron also expressed interest in participating in the group.

...

Benn Oshrin notes that version 1.2 could lead to some confusion around what is needed for password reset under bronze assurance. The issue is that v1.2 makes part of bronze, section §4.2.4.3 which part of bronze, and this section says:

"After expiration of the current Credential, if none of these methods are successful then the Subject must re-establish her or his identity
with the IdPO per Section 4.2.2 before the Credential may be renewed or re-issued."

However, almost none of §4.2.2 applies to Bronze, since Bronze has no registration record requirements. So what does this imply for a Subject  with an expired credential, a no longer valid Address of Record, and no (or forgotten) pre-registered questions?

...