Assurance

["Jones, Mark B" <>]

This is straight out of NIST sp 800-63-1.

"Table 3 - Identity Proofing Requirements by Assurance Level"
"RA actions" for Level 2
"Issues credentials in a manner that confirms the ability of the Applicant to 
receive telephone communications or e-mail at phone number or e-mail address 
associated with the Applicant in records. Any secret sent over an unprotected 
channel shall be reset upon first use;"

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of David Bantz
Sent: Monday, November 12, 2012 3:09 PM
To: 

Subject: Re: [Assurance] last question

By implication, your email address of record does not rely on the same 
authentication as the Silver-certiied infrastructure.
So how do you have assurance of the ownership/ control of that email account 
(as opposed to believing it to be compromised)?

David Bantz

On Mon, 12 Nov 2012, at 11:28 , David Langenberg 
<>
 wrote:

> Over here, what would happen in that case is each account would be 
> locked.  Then upon the faculty member contacting IT Security, Support, 
> or our Identification and Privileges office and receiving any required 
> education (ie don't reply to phishing email) the authorized support 
> person will initiate a process which will send a one-time-use-password 
> to the faculty member's address(es) of record which will enable them 
> to reset their password.  If IT Security believed that the addresses 
> of record were also compromised, then faculty member would be required 
> to follow the in-person proofing steps again.
> 
> Dave
> 
> On Mon, Nov 12, 2012 at 1:10 PM, Lisa Campeau 
> <>
>  wrote:
>> So, how does this work out for you in actual practice in a university 
>> setting?
>> 
>> For instance, a compromise of several dozen faculty members.  Do you send 
>> out a team to re-silver-credential?  What about a bigger compromise, say 
>> several hundred?
>> 
>> -----Original Message-----
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of Jones, Mark B
>> Sent: Monday, November 12, 2012 2:28 PM
>> To: 
>> 
>> Subject: RE: [Assurance] last question
>> 
>> My opinion is that a 'reset' password should be issued with the same 
>> procedure as the 'initial' password.  This may be the same point Tom was 
>> making.
>> 
>> If a password needs to be reset, what you are saying is that the person 
>> that owns the account is no longer in control of the account.  This is the 
>> same state as when the account was new and the owner did not yet know the 
>> password.
>> 
>> -----Original Message-----
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of Tom Scavo
>> Sent: Monday, November 12, 2012 1:21 PM
>> To: 
>> 
>> Subject: Re: [Assurance] last question
>> 
>> 
>> 
>>> If a Silver credential is compromised, can or should it be reset 
>>> using the compromised credential
>> 
>> If a credential is compromised, it needs to be revoked ASAP, that is, it 
>> should no longer be recognized as a valid authenticator.
>> 
>>> and/ or by answering security questions?
>> 
>> I don't believe the IAP gives guidance in the area of password reset 
>> (which is what I think you're asking about) so let me give my opinion 
>> FWIW. A password is only as strong as the password reset mechanism that 
>> goes along with it. Recent events on the open Internet have clearly 
>> demonstrated that the Bad Guy, when confronted with a strong 
>> authenticator, turns his/her attention to the password reset process using 
>> social engineering tactics.
>> 
>> Tom
> 
> 
> 
> --
> David Langenberg
> Identity & Access Management
> The University of Chicago