Assurance

["Michael W. Brogan" <>]

Section 3.1 of the IAP says:

 

“The InCommon Bronze identity assurance profile focuses on sequential identity, that is,

reasonable assurance that the same person is authenticating each time with a particular

Credential. Assertions under this profile are likely to represent the same Subject each time

a Subject identifier is provided.”

 

With the hypothetical web page password reset scenario described by Eric, I’m not sure how an institution would provide “reasonable assurance that the same person is authenticating each time with a particular Credential.”

 

--Michael

 

From: [mailto:] On Behalf Of Eric Goodman
Sent: Friday, January 09, 2015 3:08 PM
To: <>
Subject: Re: [Assurance] Bronze password reset

 

I disagree that alternative means must be used to enable recovery of Bronze accounts.  As long as a campus's means for recovery of Bronze accounts protects PII (4.2.2.6), it meets the stated requirements.

 

 

So I could create a website that takes an account name and let's you reset the password for that account interactively, with no identity proofing whatsoever, and I can still assert the Bronze IAQ for that account. (At least, if I blank out any PII I have from the original account registration). 

 

In the best case, your reading implies that there's a huge, unfortunate editing error in the iap language. If the intent of the IAP was really to have no requirements beyond registration record PII protection, then I'm going to go join Mark in his rathole (see the original thread on participants for the reference there) because there's no longer even an amorphous "reasonable care" requirement in play. 

--- Eric