Assurance

[Eric Goodman <>]

Wanted to get back to this thread:

> >> I'm wondering if any progress has been made on remote identity
> >> proofing procedures that could be used not only for InCommon Silver,
> >> but also for students who will never visit the physical campus.


My take on the CMU process is:

> 3. Proofer establishes VC with Actor.
>    a. It is most optimal if someone the Proofer knows is with the Actor as 
> a "chain of custody".

If you have a "Chain of Custody" representative, I think it's reasonable to 
call this entire process an in-person registration. You might need a campus 
policy statement formally allowing Proofers to "deputize" the "CoC" reps (and 
defining under what circumstances) to formalize this, but the practice would 
seem to allow this to be called in-person registration. You could have the 
"CoC" representative also log in with their AndrewID (in step 6) to further 
prove the "CoC's" identity.

>4. Actor presents to Proofer Official Photo ID - holding it up to the camera.
>    a. Proofer verifies photo matches actor's face
>    b. Proofer records ID Type, Issuer, ID number into ID-Proof Web App
>    c. Actor provides AndrewID - Proofer validates AndrewID matches Actor
>    d. Possibility of obtaining digital photo capture of Actor in VC
>    e. If a "custodian" (see 3a) is present, record custodian AndrewID.

Presuming no "CoC" representative, I would ask two questions here:

1) Was Silver-level identity proofing done for delivery of the AndrewID? 

If yes, then (option a) as I noted in my previous message, I think this is a 
clear re-issuance of credentials ("re-issuing" the second factor), and that 
this process is consistent with the re-issuance process. 

If not (and I'll go out on a limb and assume this is the case), then the 
question I'd ask is:

2) Can VC credential review be considered to be an "in person" interaction?

If so, then (option b) this would seem to meet the requirements of in-person 
proofing as written, and the process would appear to be acceptable. 

If not, then (option c) I'd suggest this be proposed as an Alternate Means 
for achieving in person proofing, as defined in the IAP. Potentially cite the 
AndrewID validation process as a compensating control that makes up for the 
lack of the literal "in person"-ness of the process. 

Unfortunately, I don't know that there's an objective answer to the second 
question; I can see reasonable arguments either way. I'd guess that the only 
way to get a definitive answer is to do the audit, submit the process and 
justification (and Alternative Means, if that's the route you go) and see if 
it gets accepted. 


By the definition of requirements in the IAP, I don't think this practice can 
be considered "remote proofing". It's possible that by making some changes 
(e.g., comparing the ID presented against the CMU student/employee record in 
the campus SoRs) that it could be considered remote proofing, though I will 
admit confusion about whose records are being validated against when the IAP 
says IDs/accounts are to have "confirmation via records of either 
[ID/account] number". 

--- Eric





> -----Original Message-----
> From: 
> 
>  
> [mailto:]
> On Behalf Of Michael R. Gettes
> Sent: Friday, April 04, 2014 2:27 PM
> To: 
> 
> Subject: Re: [Assurance] RE: Remote Identity Proofing
> 
> the andrewID is essentially a username.  it is NOT a physical ID.
> 
> /mrg
> 
> On Apr 4, 2014, at 5:21 PM, Eric Goodman 
> <>
>  wrote:
> 
> > Hi Mary, Michael,
> >
> > Can you clarify whether the AndrewID being relied upon in this process is 
> > a
> physical ID (like a student picture ID) or a login credential? A brief 
> search
> of the CMU website makes it sound like "Andrew ID" could mean either.
> >
> > Fundamentally, I think my input would depend on what kind of identity
> proofing goes into how that AndrewID was delivered. If there's sufficient
> identity proofing behind delivery of an AndrewID, there's an argument that
> what Michael is doing is credential re-issuance and NOT remote user
> registration. It would seem to be much easier to argue that this process is 
> a
> valid (without any Alternative Means) credential re-issuance process if
> vetting was done for the Andrew ID.
> >
> > --- Eric
> >
> >> -----Original Message-----
> >> From: 
> >> 
> >> [mailto:]
> >> On Behalf Of Dunker, Mary
> >> Sent: Friday, April 04, 2014 7:06 AM
> >> To: 
> >> 
> >> Subject: [Assurance] Remote Identity Proofing
> >>
> >> Hello, Assurance colleagues,
> >>
> >> I'm wondering if any progress has been made on remote identity
> >> proofing procedures that could be used not only for InCommon Silver,
> >> but also for students who will never visit the physical campus.
> >> Section 4.2.2.4.3 of the IAP contains requirements for Silver remote
> >> proofing, and Michael Gettes proposed a procedure at
> >> https://spaces.internet2.edu/display/InCAssurance/CMU+-
> >> +Michael+Gettes+Proposal .
> >>
> >> Has anyone actually implemented one of these procedures or something
> similar?
> >> If so, would you please share some details?
> >>
> >> Thank you,
> >> Mary
> >> -----------------------------------------------------------------
> >> Mary Dunker
> >> Director, Secure Enterprise Technology Initiatives Virginia Tech
> >> Information Technology
> >> 1700 Pratt Drive
> >> Blacksburg, VA 24060
> >> 540-231-9327
> >> 
> >> --------------------------------------------------------------------
> >>
> >