Assurance

["Michael R. Gettes" <>]

me 3

/mrg

On May 30, 2012, at 15:32, Roy, Nicholas S wrote:

> Me as well.
> 
> Nick
> 
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Lovaas,Steven
> Sent: Wednesday, May 30, 2012 2:30 PM
> To: 
> 
> Subject: RE: [Assurance] Remote proofing?
> 
> I'd also be interested in helping with this.
> 
> Steve
> 
> 
> ========================
> Steven Lovaas
> IT Security Manager
> Colorado State University
> 
> 970-297-3707
> ========================
> 
> 
> 
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Bradner, Scott
> Sent: Wednesday, May 30, 2012 1:18 PM
> To: 
> <>
> Subject: Re: [Assurance] Remote proofing?
> 
> I'm interested
> 
> Scott
> 
> Scott Bradner
> 
> Harvard University Information Technology Innovation & Architecture
> +1 617 495 3864
> 29 Oxford St., Room 407
> Cambridge, MA 02138
> www.harvard.edu/huit
> 
> 
> 
> 
> 
> On May 30, 2012, at 3:10 PM, Ann West wrote:
> 
>> If there's interest in convening a collaboration group to develop some 
>> recommendations on this topic, just let me know. Happy to help with the 
>> phone bridge, wiki page, doodle polls, etc.
>> 
>> A good meaty thing to tackle, if you ask me.
>> 
>> Ann
>> 
>> Not saying dealing with people in other countries is not a problem, 
>> but I found this while trying to educate myself:  
>> http://travel.state.gov/law/judicial/judicial_2086.html
>> 
>> 
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of Michael R. Gettes
>> Sent: Wednesday, May 30, 2012 1:58 PM
>> To: 
>> <>
>> Subject: Re: [Assurance] Remote proofing?
>> 
>> aren't we all assuming a perfect world where the world we need is "good 
>> enough"?  and, have you tried to present an ID via video conf?  Frankly, 
>> it looks pretty good.  Additionally, I have the problem of dealing with 
>> people from other countries so Notary is problematic there.
>> 
>> /mrg
>> 
>> On May 30, 2012, at 14:54, Roy, Nicholas S wrote:
>> 
>> 
>> This is a good point, Jacob- the validity of the documents would be harder 
>> to determine via video link.  I think this might be a benefit to having a 
>> notary look at the documents, if that's something they are trained to do.
>> 
>> Nick
>> 
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of Farmer, Jacob
>> Sent: Wednesday, May 30, 2012 10:58 AM
>> To: 
>> 
>> Subject: RE: [Assurance] Remote proofing?
>> 
>> When it has come up at IU, one of the major concerns has been our ability 
>> to tell if the ID has been altered over the video link.  Granted, we are 
>> not likely to catch a good fake ID even if it's presented in person, but 
>> it seems like we could very well miss a poorly altered ID over the video 
>> conference link.
>> 
>> Jacob
>> 
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of David Walker
>> Sent: Wednesday, May 30, 2012 11:53 AM
>> To: 
>> 
>> Subject: Re: [Assurance] Remote proofing?
>> 
>> I like this general approach.  It also raises the question of whether a 
>> video conference link should be considered remote or local.  Clearly, it's 
>> geographically remote, but the risks and the proofing process are much 
>> more like local proofing.
>> 
>> Has anyone implemented identity proofing based on video conferencing?  
>> I've heard it discussed before, but I'm not aware of actual 
>> implementations.
>> 
>> David
>> 
>> On Tue, 2012-05-29 at 19:11 +0000, Michael R. Gettes wrote:
>> 
>> I've been mulling this over for some time.
>> 
>> Here are my thoughts on a Remote Proofing process we are now mulling over 
>> at CMU.
>> 
>> There are parts in here to address some CMU problems of issuing 2nd-factor 
>> tokens - but you could take that out of the flow and it still is viable.
>> 
>> The IDProof App has yet to be written.
>> 
>> /mrg
>> 
>> Version 1.0
>> 
>> Actor = Person to be Identity-Proofed
>> Proofer = Doh!  Could be any full-time CMU staff person appropriately 
>> authorized?  Could be Help Center staff?
>> 
>> It is assumed the Actor has already been issued an Andrew ID - or must we 
>> define this process too?
>> 
>> 0. Actor and Proofer agree upon method of Video Conference (FaceTime, 
>> Google Voice Video, Skype, others?)
>> 
>> 1. Actor independently obtains physical FOB or downloads soft FOB
>> 
>> 2. Proofer independently accesses ID-Proof Web App in a "Proofer" role
>> 
>> 3. Proofer establishes VC with Actor.
>> a.  It is most optimal if someone the Proofer knows is with the Actor as a 
>> "chain of custody".
>> 
>> 4. Actor presents to Proofer Official Photo ID - holding it up to the 
>> camera.
>> a.  Proofer verifies photo matches actor's face b.  Proofer records ID 
>> Type, Issuer, ID number into ID-Proof Web App c.  Actor provides 
>> AndrewID - Proofer validates AndrewID matches Actor d.  Possibility of 
>> obtaining digital photo capture of Actor in VC e.  If a "custodian" 
>> (see 3a) is present, record custodian AndrewID.
>> 
>> 5. Process FOB
>> a.  Proofer records Actor's FOB # and AndrewID into ID-Proof Web App 
>> b.  Proofer enables Actor's FOB
>> 
>> 6. Actor verifies authentication and access a. Actor accesses ID-Proof 
>> Web App and login as normal user Actor authenticates using Shib SSO 
>> and then uses FOB authN on ID-Proof page.
>> b. Actor is presented with a 6 character KEY c. Actor reads KEY to 
>> Proofer d. Proofer validates the Actor's KEY with KEY on Proofer's 
>> ID-Proof page.
>> e. repeat a-d until success
>> 
>> 7. Proofer approves Actor in ID-Proof Web App
>> 
>> 8. End Video Conference
>> 
>> 9. Proofer authorization
>> a.  If Proofer has privilege to authorize then modify accordingly.
>> b.  If not (9a) then Proofer notifies official authorizers ID-Proof steps 
>> completed and provides AndrewID and Name to Authorizers.  Authorizers 
>> modify accordingly.
>> 
>> Done.
>> 
>> 
>> 
>