Assurance

[David Langenberg <>]

Exactly, in order to validate the external addresses of record, the
individual must enter the validation codes at a site which verifies
the user using their campus credentials.  The requirement is that the
individual demonstrate that they can receive communication at the AOR
not necessarily that the AOR is secured to the same degree as the
Silver credential.

Dave

On Mon, Nov 12, 2012 at 2:18 PM, Jones, Mark B 
<>
 wrote:
> This is straight out of NIST sp 800-63-1.
>
> "Table 3 - Identity Proofing Requirements by Assurance Level"
> "RA actions" for Level 2
> "Issues credentials in a manner that confirms the ability of the Applicant 
> to receive telephone communications or e-mail at phone number or e-mail 
> address associated with the Applicant in records. Any secret sent over an 
> unprotected channel shall be reset upon first use;"
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of David Bantz
> Sent: Monday, November 12, 2012 3:09 PM
> To: 
> 
> Subject: Re: [Assurance] last question
>
> By implication, your email address of record does not rely on the same 
> authentication as the Silver-certiied infrastructure.
> So how do you have assurance of the ownership/ control of that email 
> account (as opposed to believing it to be compromised)?
>
> David Bantz
>
> On Mon, 12 Nov 2012, at 11:28 , David Langenberg 
> <>
>  wrote:
>
>> Over here, what would happen in that case is each account would be
>> locked.  Then upon the faculty member contacting IT Security, Support,
>> or our Identification and Privileges office and receiving any required
>> education (ie don't reply to phishing email) the authorized support
>> person will initiate a process which will send a one-time-use-password
>> to the faculty member's address(es) of record which will enable them
>> to reset their password.  If IT Security believed that the addresses
>> of record were also compromised, then faculty member would be required
>> to follow the in-person proofing steps again.
>>
>> Dave
>>
>> On Mon, Nov 12, 2012 at 1:10 PM, Lisa Campeau 
>> <>
>>  wrote:
>>> So, how does this work out for you in actual practice in a university 
>>> setting?
>>>
>>> For instance, a compromise of several dozen faculty members.  Do you send 
>>> out a team to re-silver-credential?  What about a bigger compromise, say 
>>> several hundred?
>>>
>>> -----Original Message-----
>>> From: 
>>> 
>>> [mailto:]
>>>  On Behalf Of Jones, Mark B
>>> Sent: Monday, November 12, 2012 2:28 PM
>>> To: 
>>> 
>>> Subject: RE: [Assurance] last question
>>>
>>> My opinion is that a 'reset' password should be issued with the same 
>>> procedure as the 'initial' password.  This may be the same point Tom was 
>>> making.
>>>
>>> If a password needs to be reset, what you are saying is that the person 
>>> that owns the account is no longer in control of the account.  This is 
>>> the same state as when the account was new and the owner did not yet know 
>>> the password.
>>>
>>> -----Original Message-----
>>> From: 
>>> 
>>> [mailto:]
>>>  On Behalf Of Tom Scavo
>>> Sent: Monday, November 12, 2012 1:21 PM
>>> To: 
>>> 
>>> Subject: Re: [Assurance] last question
>>>
>>>
>>>
>>>> If a Silver credential is compromised, can or should it be reset
>>>> using the compromised credential
>>>
>>> If a credential is compromised, it needs to be revoked ASAP, that is, it 
>>> should no longer be recognized as a valid authenticator.
>>>
>>>> and/ or by answering security questions?
>>>
>>> I don't believe the IAP gives guidance in the area of password reset 
>>> (which is what I think you're asking about) so let me give my opinion 
>>> FWIW. A password is only as strong as the password reset mechanism that 
>>> goes along with it. Recent events on the open Internet have clearly 
>>> demonstrated that the Bad Guy, when confronted with a strong 
>>> authenticator, turns his/her attention to the password reset process 
>>> using social engineering tactics.
>>>
>>> Tom
>>
>>
>>
>> --
>> David Langenberg
>> Identity & Access Management
>> The University of Chicago
>



-- 
David Langenberg
Identity & Access Management
The University of Chicago