REFEDS Assurance wg call
Monday 26 February 2018 at 15:30 CET/8:30 CST (90 minutes)
CERN’s Vidyo portal:

Tom B
David L
Pål A
Alan B
Mikael L, notes
Apologised: Michael S and Jule Z


 Review of SFA document  suite

  • SFA:     
    • Section 4: Discussion on “REFEDS approves or REFEDS publishes” the minimum requirements specs. The latter intends to indicate that there is no formal approval process. Mikael to send to the list a link on the process REFEDS has for approving documents.
    • Section 5: Proposal to add a separate fourth bullet point to cover explicitly the magic links sent by e-mail to the user’s verified address of record (potentially after KBA)
  • memorized secrets:  
    • Section 3: all components of the back-end IdM do not need to comply, only “the secrets and verification processes used by an Identity provider…”
    • Section 4: Password rotation and quality checks should not be banned. Either drop C5-C7 (i.e. be silent on them) or use the expression “need not be” (which would be a non-normative statement and make the table inconsistent). In all cases, provide explanation in FAQ.
    • C10: Proposed a less specific requirement: “do any form of mitigation of the risk of online guessing”
    • C11: Current deployments have issues with these requirements (e.g. SHA1 used)
    • C12: Proposed similar to C10: “do any form of mitigation of the risk of off-line cracking. “ (downside: we don’t give idea what is sufficient)
    • in general, the meeting appeared to think that the minimum requirements should provide several mitigation strategies for the IdPs to choose from
    • the AD recipe was found not to be consistent with the current minimum req (one way hash function, offline cracking).

 Next call

  • Monday 12 March 2018 at 14:30 CET/8:30 CDT (90 minutes)
  • notice: the US has started the summer time; the meeting is one hour earlier for Europe
  • No labels