assurance - Re: [Assurance] Bronze credential reissuance
Subject: Assurance
List archive
- From: Benn Oshrin <>
- To:
- Subject: Re: [Assurance] Bronze credential reissuance
- Date: Mon, 11 Feb 2013 23:51:41 -0500
- Authentication-results: sfpop-ironport02.merit.edu; dkim=permerror (no key for signature)
Expiring such an identity is effectively required for Bronze compliance (§4.2.3.2), which subjects passwords to NIST based requirements for resistance to guessing, which basically requires counting of failed authentication events or a password expiration policy.
I'd be happy to discuss whether such a requirement is suitable for Bronze, but that's a separate thread.
-Benn-
On 2/11/13 11:38 PM, Jones, Mark B wrote:
OMB M-04-04 describes level 1 as "Little or no confidence in the asserted
identity's validity.
Why bother expiring such an identity?
The asking of this question suggests that you see the need to move toward LoA
2. I would work toward implementing what would be required for Silver with
regard to re-credentialing as a step toward LoA 2.
-----Original Message-----
From:
[mailto:]
On Behalf Of Benn Oshrin
Sent: Monday, February 11, 2013 6:18 PM
To:
Subject: Re: [Assurance] Bronze credential reissuance
Since there weren't any replies, here's a hypothetical... Keeping in mind we're talking
LoA sufficient for retrieving your bookmarks, perhaps we can say something like
"the subject must re-establish her or his identity in a manner consistent with the
original credentialing".
So, for example, consider that a student enrolls, provides sufficient proof
of identity to the Registrar, and that operation is leveraged to establish
the student's netid. The student subsequently forgets their password, and
cannot reset it via a single use token or reset questions.
The student could return to the Registrar's office and, once the Registrar
was satisfied with the identity of the student, update their records with a
new Address of Record. Once the address migrated to the IdMS, a reset token
could be issued.
Similarly, an employee could go to their HR representative, or a guest or
affiliate could go to their sponsor. Where an institution allows self-signup
for NetIDs without a corresponding SOR role record, the subject would
presumably need to create a new NetID -- credentials without associated
registration/role records and no reset paths cannot be recovered.
Thoughts?
-Benn-
On 1/17/13 4:58 PM, Ann West wrote:
Thanks Benn.
Good question. How do folks re-credential for LoA1 now?
Best,
Ann
On 1/11/13 6:37 PM, "Benn Oshrin"
<>
wrote:
Sort of related to my last message...
The proposed v1.2 FICAM draft makes §4.2.4.3 part of Bronze.
"After expiration of the current Credential, if none of these methods
are successful then the Subject must re-establish her or his identity
with the IdPO per Section 4.2.2 before the Credential may be renewed
or re-issued."
However, almost none of §4.2.2 applies to Bronze, which has no
registration record requirements. What does this imply for a Subject
with an expired credential, a no longer valid Address of Record, and
no (or forgotten) pre-registered questions?
Thanks,
-Benn-
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, arlene Allen, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Cantor, Scott, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/12/2013
- Re: [Assurance] Bronze credential reissuance, Cantor, Scott, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- RE: [Assurance] Bronze credential reissuance, Jones, Mark B, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- RE: [Assurance] Bronze credential reissuance/credential expiration, Jones, Mark B, 02/12/2013
- Re: [Assurance] Bronze credential reissuance, Benn Oshrin, 02/11/2013
- Re: [Assurance] Bronze credential reissuance, arlene Allen, 02/11/2013
Archive powered by MHonArc 2.6.16.