Andrew Martin <[email protected]> writes: > I can appreciate the security-based argument against relying on IP, but > at the same time I think there are good arguments for the off-campus / > on-campus configuration.
Oh, I do too, don't get me wrong. I just don't want to change our advertised *level of assurance* based on that data point. The LoA is there for applications that need a specific LoA for compliance purposes, and the LoA numbers that Stanford is advertising are defined by a NIST standard. I don't think that the IP location is sufficiently secure data to amount to a second factor for LoA purposes. I certainly understand the more general use case of only requiring multifactor for off-campus accesses. I think it's a good way to ease into using multifactor. > I can empathize with Russ that the configuration options get complicated > when you try to make webauth easily support all of these options and > wish the team good luck with that :-) However - we'll be waiting for an > elegant solution. In the meantime, in case you're interested, with > Fletcher's help we put together a rewrite hack which seems to be working > as follows: Yup, that looks like the right idea to me. -- Russ Allbery <[email protected]> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
