...
- Single-factor authentication (SFA) profile and the related documents, Jule&Michael
- There were concerns if the current approach is clear enough for the IdP admins – what documents needs to be read? Do OpenLDAP/AD deployers need to follow NIST 63b as well?
- It was proposed to clarify the order of the docs:
- If you have an AD/OpenLDAP deployment you need to follow the associated minimal requirements only
- If you have some other product you’ll have some harder work ahead to read 63b but you can help us to develop a minimal requirements for your product
- 63b section 8 on security threats has criteria that are not and cannot be done in the minimal practice docs (e.g. educating users against phishing) so the CSPs need to have other controls
- what if someone uses a product whose configuration is similar to OpenLDAP but is not openLDAP. Find a wording that allows the minimal requirements to be applied to products with similar configuration (“or equivalent”).
- how the rate limiting is addressed when there is actually a pool of LDAP servers? Clarify in the document (the pool is per server)
- - discussions on the mailing list
- introduce a new “good-entropy MFA”?
- ACAMP discussion demonstrated that many CSPs in the US say they cannot can hardly even meet the REFEDS MFA. Better to take small step first and not to try to define and deploy “gooddefer “good-entropy MFA” in to the near future.
- drop authentication component from Cappuccino and Espresso?
- no conclusion on this
- introduce a new “good-entropy MFA”?
...