Team

Ismael Alaoui, Phil Benchoff, Susan Brooker-Gross, Al Cooper, Mary Dunker, Frank Galligan, Karen Herrington, Greg Kroll, Randy Marchany

Kevin Rooney, Sharon Kurek, Mike Emero
((tick) present, (error) absent)

Agenda

  1. Kim Homer reporting on using multiple certificates with Adobe signatures and Outlook/Exchange e-mail (see Jira issue: https://apps.es.vt.edu/jira/browse/UCA-1)
  2. Questions surrounding whether or not we can issue a certificate at LoA 3 and continue to consider it as LoA 3 after it is in the hands of the user. (See Mary's comments below.)
  3. Next meeting?

Meeting Notes

  1. Kim Homer reporting on using multiple certificates with Adobe signatures and Outlook/Exchange e-mail (see Jira issue: https://apps.es.vt.edu/jira/browse/UCA-1)
    1. When a users computer has multiple certificates the name displayed to the user seems to be application dependent. Ish thought the "cn" name is displayed but testing during this meeting reveled that the "FriendlyName" is displayed for the VT NetCert (at least when using Vista Ultimate SP2 and Firefox 3.6.11. More testing is needed.
    2. For the purposes of this project we want to have some control over what is displayed to the user when multiple certs are present. If possible perhaps we could use a different font for the soft cert.
    3. Quick test using Outlook and free cert from Comodo:
      1. A user would have to send their public key to whomever they send encrypted e-mail so the recipient could un-encrypt.
  • No labels

2 Comments

  1. Mary Dunker

    Oct 20, 2010

    NIST 800-63 states  the following regarding Level 3 and the Soft cryptographic token:

    Soft cryptographic token: a cryptographic key stored on a general-purpose computer. Hardware tokens validated at FIPS 140-2 Level 1 or higher may also be used to hold the key and perform cryptographic operations. The claimant shall be required to activate the key before using it with a password or biometric, or, alternatively shall use a password as well as the key in an authentication protocol with the verifier. If a password is employed to unlock the soft token key, the key shall be kept encrypted under a key derived from a password meeting the requirements for Level 2 authentication, and decrypted only for actual use in authentication. Alternatively, if a password protocol is employed with the verifier, the use of the password shall meet the requirements for Level 2 authentication assurance.

          I think this means that a "soft cryptographic token" stored on a general-purpose computer is considered a LoA 3 credential if either of the following is true:

         

          1) a password or biometric is required to activate the key. The password would need to meet NIST LoA 2 requirements.

         

          2) the claimant is required to use a password as well as the key in an authenticated protocol with the verifier. In this case the password must meet NIST LoA 2 requirements, which includes password strength described in 8.2.2.4 and maybe 8.2.2.3.

    Regarding option # 1, after the soft PDC enters the hands of the user, we cannot technically enforce use of a password that would meet NIST LoA 2, to activate the key. 

    Question (probably for Internal Audit): If we created a policy that required the user to maintain a password on  a soft PDC (or P12 key store) that met NIST LoA 2 strength requirements, and issued a soft PDC that initially met the LoA 3 requirements, would that justify our recognizing that soft PDC as a Virginia Tech LoA 3 credential according to the LoA defined in the VT standard for Personal Digital Identity Levels of Assurance? http://www.it.vt.edu/publications/pdf/Standard_for_Personal_Digital_Identity_LOA_Final-09June2010.pdf 

    Regarding option #2, according to Randy Marchany, http://computing.vt.edu/accounts_and_access/pickinggoodpasswords.html has the strength rules and they are close to the NIST criteria. I think Table A-1 shows that with our password strength rules and "dictionary" check, we're in the acceptable range.

    Question: If a soft PDC were issued that initially me the LoA 3 requirements, and if it were subsequently used in combination with, say the PID and its password, would that justify our recognizing that soft PDC as a Virginia Tech LoA 3 credential according to the LoA defined in the VT standard for Personal Digital Identity Levels of Assurance? http://www.it.vt.edu/publications/pdf/Standard_for_Personal_Digital_Identity_LOA_Final-09June2010.pdf 

  2. Greg Kroll

    Oct 21, 2010

    Link to pdf of NIST 800-63 http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf