Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Bronze password reset

Subject: Assurance

List archive

Re: [Assurance] Bronze password reset


Chronological Thread 
  • From: Eric Goodman <>
  • To: "<>" <>
  • Subject: Re: [Assurance] Bronze password reset
  • Date: Fri, 9 Jan 2015 23:08:09 +0000
  • Accept-language: en-US

I disagree that alternative means must be used to enable recovery of Bronze accounts.  As long as a campus's means for recovery of Bronze accounts protects PII (4.2.2.6), it meets the stated requirements.



So I could create a website that takes an account name and let's you reset the password for that account interactively, with no identity proofing whatsoever, and I can still assert the Bronze IAQ for that account. (At least, if I blank out any PII I have from the original account registration). 

In the best case, your reading implies that there's a huge, unfortunate editing error in the iap language. If the intent of the IAP was really to have no requirements beyond registration record PII protection, then I'm going to go join Mark in his rathole (see the original thread on participants for the reference there) because there's no longer even an amorphous "reasonable care" requirement in play. 

--- Eric





Archive powered by MHonArc 2.6.16.

Top of Page