Domain member contact lists can include both authenticated and unauthenticated contacts, though this distinction may not be immediately apparent to users. Management server identity policies, allow you to specify how user ‘authenticity’ is indicated in managed user contact lists. The following sections provide information and instructions for determining the level of peer authentication:
• Authenticated vs. Unauthenticated Groove Identities
• Setting Up Peer Authentication
Authenticated vs. Unauthenticated Groove Identities
Groove supports two types of authentication: manual authentication and
certification. Manually authenticated contacts are those whose identity has been verified out-of-band (by checking their digital fingerprints, for example). Certified contacts are those whose identity has been validated by a certificate issued by a management domain administrator. Text color distinguishes contacts in managed user contact lists, as summarized in the following table for each authentication type:
You can control how your users interact with unauthenticated identities by setting up a peer security policy. When a domain member attempts one of the actions listed in the
“Peer Action” table below, the appropriate warning or prevention policy goes into effect as described.
Setting Up Peer Authentication
Establishing peer authentication in a managed Groove environment occurs mainly via a single identity policy that defines peer authentication for all members using the specified identity policy template.
To set up a peer authentication policy, follow these steps:
1. Go to the management server administrative Web site and click an identity policy template in the navigation pane. The Member Policies tab appears.
2. Click the Security Policies tab.
Groove PKI Enterprise PKI
The contact is a member of the user’s management domain.
The contact is a member of a domain that is cross-certified with the user’s management domain (as described in the Managing Groove Domains section of this guide).
The contact is certified.
The contact is personally (manually) authenticated by the user.
The contact is personally (manually) authenticated by the user.
The contact is not authenticated. The contact is not authenticated.
3. Go to the Peer Authentication Policy section of the Security Policy page and select one the options, described in the following table:
4. Select Save Changes in the tool bar to submit your changes. Any domain group or member to whom you assign this identity policy template will be subject to the pol-icy you just defined. The table below summarizes the effect of each polpol-icy in vari-ous Groove contexts.
Peer Authentication Policy Options
Descriptions*
Do not warn members about communicating with any contacts
When this option is in effect, Groove will not display warnings indicating communications with an unauthenticated identity.
Warn members before they communicate with contacts that have neither been administrator-certified nor manually
authenticated by the user.
This option displays an Authenticate pop-up window, prompting to users to
authenticate any unauthenticated identity.
Only allow communications with administrator-certified contacts.
When this option is in effect, Groove allows communications among certified identities only.
*See the Peer Action table below for descriptions of these options in various contexts.
Peer Action Peer Security Policy Effect*
Sending an instant message or workspace (.grv) invitation (including light chat and MS Instant Messages), or replying to or forwarding an instant message.
• Do not warn or restrict members when communicating with any contacts. - No effect.
• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If any recipients are
unauthenticated, Groove displays an Authenticate pop-up window, prompting the sender to authenticate unauthenticated users in the invite list. The sender may or may not choose to do so.
• Only allow members to communicate with administrator-certified contacts. - If any recipients are uncertified, Groove displays a pop-up window listing the uncertified users and explaining that communication with those users will not occur.
Confirming workspace invitations. • Do not warn or restrict members when communicating with any contacts. - No effect.
• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If an unauthenticated user accepts an invitation, Groove displays a confirmation pop-up window to the inviter. If the inviter confirms the acceptance, an Authenticate pop-up window appears, prompting the inviter to manually authenticate the user. The inviter may or may not choose to do so.
• Only allow members to communicate with administrator-certified contacts. - If an uncertified user accepts an invitation .grv file from a managed user, the invitation will nevertheless be declined and the workspace will not be downloaded.
Opening a workspace. • Do not warn or restrict members when communicating with any contacts. - No effect.
• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If any workspace members are unauthenticated, Groove displays an
Authenticate pop-up window, prompting the user who is opening the workspace to manually authenticate unauthenticated users. The workspace opener may or may not choose to do so.
• Only allow members to communicate with administrator-certified contacts. - If any recipients are uncertified, Groove displays pop-up window (pop-upon user navigation to the workspace) explaining that x members of the space are uncertified.
Creating a workspace. • Do not warn or restrict members when communicating with any contacts. - No effect.
• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If any recipients of the invitation .grv are unauthenticated, Groove displays an Authenticate pop-up window, prompting the inviter to manually authenticate unauthenticated users in the invite list. The workspace creator may or may not choose to do so.
• Only allow members to communicate with administrator-certified contacts. - If any recipients of the invitation .grv are uncertified, Groove displays a pop-up window stating that x recipients are uncertified and prevents those users from entering the space.
Peer Action Peer Security Policy Effect*