Assurance

["Cantor, Scott" <>]

> I'm wondering now if the sort-of defacto industry standard of having a few
> pre-registered questions... your favorite color, name of your first pet,
> favorite relatives name, city where you were born...  is that reasonable 
> care?

Probably. But I think the underlying point is that if you assume *no* 
knowledge of the person, then if these typical measures fail as they 
sometimes will, there's literally no way to safely recover the account, even 
if the person shows up in person with ID.

But in actual practice, we *do* tend to assume some binding to a person, even 
if it's weak or implicit, and we do fall back to that if remote reset doesn't 
work. We don't just throw away non-guest accounts and force somebody to get a 
new one if they're an affiliate.

But none of that is codified in Bronze. I guess the real underlying question 
is whether it's enough to just say "reasonable care". I suspect that's in 
keeping with the idea of an unaudited assurance level.

-- Scott