assurance - Re: [Assurance] Bronze credential reissuance
Subject: Assurance
List archive
- From: arlene Allen <>
- To:
- Subject: Re: [Assurance] Bronze credential reissuance
- Date: Mon, 11 Feb 2013 16:36:05 -0800
- Authentication-results: sfpop-ironport05.merit.edu; dkim=neutral (message not signed) header.i=none
Ours is a fairly average approach. The LOA-2 is the one that requires considerably more structure.
For LOA-1 we are comfortable with knowledge based auth (KBA). When the principal activated their identity we forced them to do the secret questions. The combination of knowing their employee id or student id, etc. along with answering the secret questions gives them the reset ability. If they don't remember the secret questions anymore, then they must interact with our identity help function. This is all done on the web and we don't force the optional pathway of responding to an email sent to the address of record. For LOA-1 that seemed like a bit much, although one sees that a lot.
On 2/11/2013 4:17 PM, Benn Oshrin wrote:
Since there weren't any replies, here's a hypothetical... Keeping in mind we're talking LoA sufficient for retrieving your bookmarks, perhaps we can say something like "the subject must re-establish her or his identity in a manner consistent with the original credentialing".
So, for example, consider that a student enrolls, provides sufficient proof of identity to the Registrar, and that operation is leveraged to establish the student's netid. The student subsequently forgets their password, and cannot reset it via a single use token or reset questions. The student could return to the Registrar's office and, once the Registrar was satisfied with the identity of the student, update their records with a new Address of Record. Once the address migrated to the IdMS, a reset token could be issued.
Similarly, an employee could go to their HR representative, or a guest or affiliate could go to their sponsor. Where an institution allows self-signup for NetIDs without a corresponding SOR role record, the subject would presumably need to create a new NetID -- credentials without associated registration/role records and no reset paths cannot be recovered.
Thoughts?
-Benn-
On 1/17/13 4:58 PM, Ann West wrote:
Thanks Benn.
Good question. How do folks re-credential for LoA1 now?
Best,
Ann
On 1/11/13 6:37 PM, "Benn Oshrin"
<>
wrote:
Sort of related to my last message...
The proposed v1.2 FICAM draft makes §4.2.4.3 part of Bronze.
"After expiration of the current Credential, if none of these methods
are successful then the Subject must re-establish her or his identity
with the IdPO per Section 4.2.2 before the Credential may be renewed or
re-issued."
However, almost none of §4.2.2 applies to Bronze, which has no
registration record requirements. What does this imply for a Subject
with an expired credential, a no longer valid Address of Record, and no
(or forgotten) pre-registered questions?
Thanks,
-Benn-
--
Arlene Allen
Director, OIST / CI
UC Santa Barbara
805.893.2062 Office
805.451.7471 Mobile
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, arlene Allen, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Cantor, Scott, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/12/2013
- Re: [Assurance] Bronze credential reissuance, Cantor, Scott, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- RE: [Assurance] Bronze credential reissuance, Jones, Mark B, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- RE: [Assurance] Bronze credential reissuance/credential expiration, Jones, Mark B, 02/12/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, arlene Allen, 02/11/2013
Archive powered by MHonArc 2.6.16.