Assurance

["Roy, Nicholas S" <>]

I got some feedback from the auditors that this isn’t by any means a consensus opinion, it was just a conversation starter.  I also got more information on what about the video proofing process is an issue, so I’ve modified the comment in the wiki as follows:

 

I got some feedback from the Big Ten auditor community.  Their feedback was (each answer represents a data point but not the consensus of the community):

1) The notary approach might work

2) The video approach presents a higher risk profile than the notary approach because it is much harder to detect a forged ID via the video method.  This might be mitigated by tying it back to the issuance of a physical ID with the person's picture on it, but that sort of necessitates "person is present at the RA which took the ID card photo" in-person proofing.  The risk tolerance question here is difficult because it's not just the risk tolerance of the university, but of anyone accepting the IAQ issued by an IdPO that uses this approach.

3) The eVerify process used for I9 stuff in HR processes is good enough to use for proofing (not remote, really, but OK I think this is good news for existing relationship stuff)

4) Quote:

"I don't know how InCommon relates to NIST 800-63, but 800-63 seems clearer.  It says that remote proofing for Level 2 or 3 requires validation of the gov't ID and/or financial acct, plus address validation.  The latter is not a substitute for the former."

To me that says if you take this to be 800-63 rules, then you also need to validate the ID at LoA2/Silver.  But then again, "Silver is not 800-63 level 2, Silver is Silver."

Should the group ask Karl Heinz to discuss these approaches with us on a call?

 

Nick

 

From: [mailto:] On Behalf Of Roy, Nicholas S
Sent: Tuesday, August 07, 2012 8:58 AM
To:
Subject: [Assurance] Remote proofing feedback from Big Ten auditors

 

I got some feedback from the Big Ten auditors – three responses from three different schools.  A summary of the comments is posted as a comment on the remote proofing wiki (https://spaces.internet2.edu/display/InCAssurance/Remote-Proofing+Approaches) and also below:

 

1) The notary approach might work

2) They don't like the video approach, but did not give specific reasons why

3) They think the eVerify process used for I9 stuff in HR processes is good enough to use for proofing (not remote, really, but OK I think this is good news for existing relationship stuff)

4) Quote:

"I don't know how InCommon relates to NIST 800-63, but 800-63 seems clearer.  It says that remote proofing for Level 2 or 3 requires validation of the gov't ID and/or financial acct, plus address validation.  The latter is not a substitute for the former."

To me that says if you take this to be 800-63 rules, then you also need to validate the ID at LoA2/Silver.  But then again, "Silver is not 800-63 level 2, Silver is Silver."

 

Best,

 

Nick