Skip to Content.
Sympa Menu

assurance - [Assurance] IAP FICAM draft revisions vs registration

Subject: Assurance

List archive

[Assurance] IAP FICAM draft revisions vs registration


Chronological Thread 
  • From: Benn Oshrin <>
  • To:
  • Subject: [Assurance] IAP FICAM draft revisions vs registration
  • Date: Fri, 11 Jan 2013 15:11:27 -0500
In the IAP v1.2 FICAM draft, §4.2.4.1 Credential Issuance now applies to Bronze as well as Silver. The relevant section is

To ensure that the same Subject acts throughout the registration and
Credential issuance process, the Subject shall identify himself or
herself in any new transaction (beyond the first transaction or
encounter) with information known only to the Subject, for example a
temporary Secret which was established during a prior transaction or
encounter, or sent to the Subject’s Address of Record. When
identifying himself or herself in person, the Subject shall do so
either by using a Secret as described above, or through the use of an
equivalent process that was established during a prior encounter.

Registration procedures are described in §4.2.2, which only applies to Silver, suggesting the only requirement here is for a subsequent event to reflect the same Subject as an earlier event. (ie: There is no binding to an actual person through some form of document.) This seems OK, mapping all the way back to OMB 04-04 ("Little or no confidence in the asserted identity’s validity. For example, Level 1 credentials allow people to bookmark items on a web page for future reference") via 800-63 ("Although there is no identity proofing requirement at this level, the authentication mechanism provides some assurance that the same claimant is accessing the protected transaction or data"). This also maps with, eg, self-sign up for gmail.

So in the HE environment it seems reasonable that an institutional SOR's role can be relegated to asserting that someone is eligible for a netid (and related services), but that's it (ie: it plays no role in IAP compliance). For Bronze compliance, the registration and issuance process could begin when the Subject begins the netid activation process (during which an address of record might be collected and verified for credential reset purposes).

I might be stating and asking the obvious, but is this compatible with the intent of the FICAM draft of the IAP? Or was there an expectation of a stronger bind to proper university records for Bronze? Are campuses planning on binding Bronze identities back to an SOR (like the HRMS or SIS)?

Thanks,

-Benn-

  • [Assurance] IAP FICAM draft revisions vs registration, Benn Oshrin, 01/11/2013

Archive powered by MHonArc 2.6.16.

Top of Page