You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Background

On October 6, 2011, Steven VanRoekel, the Federal Chief Information Officer, issued a memorandum (http://www.howto.gov/sites/default/files/omb-req-externally-issued-cred_0.pdf), specifying a timetable for federal agencies to begin leveraging externally-issued credentials.  The Federal Identity, Credential, and Access Management Subcommittee (FICAM - http://www.idmanagement.gov/pages.cfm/page/ICAM) is named as responsible for certifying the entities that may issue such credentials.

InCommon (http://www.incommon.org) is a Trust Framework Provider, certified by FICAM under the Trust Frame Provider Adoption Process (TFPAP - http://www.idmanagement.gov/documents/FICAM_TFS_TFPAP_v1.1.0.pdf) at assurance levels 1 (InCommon Bronze) and 2 (InCommon Silver). As a certified trust framework provider, InCommon is authorized to certify campuses to issue identity assertions over the Internet to government agency service providers at assurance levels 1 and 2. The documents governing InCommon's trust framework are available at http://www.incommon.org/assurance/components.html.

The InCommon Assurance Program is currently sponsoring a group of university representatives who are exploring means that can be used to certify for InCommon Silver when the password credentials used for Silver-level authentication are stored in an Active Directory instance.  "IAP Requirements and Gaps for Active Directory Domain Services" (https://spaces.at.internet2.edu/x/BA8wAg) is a summary of that work.

Questions

  • When BitLocker full disk encryption is used are disk sectors decrypted only as they are read? What is the recommended/supported BitLocker configuration for use with AD-DS?
  • Does Microsoft have a strategy for supporting compliance with the Federal Identity, Credential, and Access Management (FICAM) requirements at LoA-2? If so, what is the time frame?
  • Does Microsoft have a strategy for AD integration of non-Windows and old-Windows client platforms that will use NIST/FIPS approved algorithms for transport of passwords over a network? If so, what is the time frame?
  • Is it possible to configure AD so that the NetUserChangePassword and NetUserSetInfo protocols use only NIST approved algorithms for encryption?
  • Protected Channels - 4.2.3.6.1b - Gaps
    • What encryption algorithms does Windows Secure Channel use? 
    • What's the impact of turning on the FIPS setting on all Domain Clients? What's the impact on Domain Controllers?
    • RC4 HMAC encryption is not NIST or FIPS approved, and we would like to determine if it's comparable to those methodlogies that are.  Can you help with this? (See http://www.incommon.org/assurance/alternativemeans.html for the criteria we will consider.)
  • Review "IAP Requirements and Gaps for Active Directory Domain Services" for verification.
  • No labels