From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Wed Aug 27 2003 - 17:54:21 PDT
Hi Jon,
At 17:30 -0700 2003-08-27, Jon Kuroda wrote:
>Or something more sinister from others I know who shall go unnamed. How
>many CalNet deputies are there on campus?
There are approximately 300 CalNet deputies. A current list can be found at:
http://uas.berkeley.edu/services/deputies.html
Jon continued:
> I know (and trust) the ones in my department. And, in theory, they
>(and I presume UAS) are the only ones able to modify my CalNet ID.
Yes, that's correct. As the CalNet Deputies page notes:
>The CalNet deputy will have authority to change passphrases for only
>those faculty and staff in the units identified on the application
>form (the departmental "Process Unit" department code).
Jon noted:
>The one limitation to any of this is:
>
>https://calnet.berkeley.edu/about_deputies.html
>
>"CalNet users may "opt out" from giving departmental CalNet deputies the
>authority to reset their passphrases, in which case the user must go to
>User & Account Services instead."
This "opt out" option, as well as several other modifications which
can help protect your CalNet passphrase from being reset without your
permission or knowledge, was brought about through extensive analysis
and advocacy work by my colleague, Greg Small, as well as the efforts
of many other members of the CalNet team.
Greg observed at an early juncture that the power delegated to a
large number of people scattered across the campus (CalNet deputies)
to change individual users' CalNet passphrases represented a
critically weak link in the CalNet security model, and he worked
tirelessly to have safeguards established. While this is still an
area of concern, at least it has been considerably tightened from the
original model.
The original announcement of this 'opt-out' option, as well as an
associated password reset notification service, appears below.
Aron Roberts
Workstation Software Support Group
--
From: calnet_at_socrates.Berkeley.EDU
Date: Wed, 11 Dec 2002 16:45:25 -0800 (PST)
To: kerberos-deputies_at_berkeley.edu
cc: accounts_at_socrates.Berkeley.EDU
Subject: Security Enhancements for CalNet
Dear CalNet Deputies,
The CalNet Authentication service has just implemented two security
enhancements: 1) CalNet Passphrase Reset Preference; and, 2) CalNet
Passphrase Reset Notification.
CalNet Passphrase Reset Preference
CalNet Passphrase Reset Preference allows users to specify that only User
& Account Services (UAS) has the ability to reset their passphrase. This
reset preference was implemented to increase security for those who wish
to reduce opportunities for departments to reset their passphrase. This
reset preference can be changed at any time. Users should keep in mind
that if they set their preference such that only UAS can change their
passphrase, they will need to have it reset in person by UAS in 206 Evans
Hall should they forget their passphrase. This new enhancement can be
found at:
<https://calnet.berkeley.edu/cgi-bin/optOut/opt_out.cgi>
CalNet Passphrase Reset Notification
CalNet Passphrase Reset Notification notifies a user via email whenever
their passphrase is reset. This reset notification was implemented so that
a user will know when their passphrase was reset so that they can take
corrective action if their passphrase was reset without their knowledge.
This notification feature was made active on Monday, December 9, 2002.
The reset notification is sent whenever a faculty, staff or affiliate
successfully activates a CalNet ID using a token. Note that activation
takes place whenever a user initially activates their CalNet ID and
whenever a user's passphrase is reset using a token.
Reset notification is sent via email to the address associated with the
user in the CalNet Directory. It is important that users maintain their
current, most frequently used email address in the CalNet Directory. Users
may update their directory information at:
<https://directory.berkeley.edu/update/>
Below is an example of an email sent to a user following the activation of
their CalNet ID:
==============================================================
The passphrase for your faculty, staff or affiliate CalNet ID
was set or changed(*) on
Tue, Dec 10 2002, 16:17:44 (PST)
using a token issued by a CalNet deputy(**).
If this action was taken by you, then you need not do anything.
Otherwise, please notify User & Account Services at
accounts_at_uclink.Berkeley.EDU
to investigate the possible unauthorized use of your CalNet ID.
CalNet Administrator
-----------------------
(*) at https://net-auth.berkeley.edu/cgi-bin/krbreg
(**) see http://uas.berkeley.edu/services/deputies.html
==============================================================
Please note: A CalNet Deputy should never change a user's passphrase. This
is a breach of security.
If you have any questions contact calnet_at_socrates.berkeley.edu.
User & Account Services
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Wed Aug 27 2003 - 17:58:21 PDT