Assurance

[David Walker <>]

+1

It seems to me that a lot of this discussion reflects a desire to codify
common community practice for identity proofing and account recovery
that is not part of the set of Bronze requirements, but does address
higher education business needs.  In that context, maybe we should focus
on what that practice should be, knowing that Bronze doesn't place any
specific restrictions on it.

David

On 01/12/2015 07:16 AM, Cantor, Scott wrote:
>> I'm wondering now if the sort-of defacto industry standard of having a few
>> pre-registered questions... your favorite color, name of your first pet,
>> favorite relatives name, city where you were born...  is that reasonable 
>> care?
> Probably. But I think the underlying point is that if you assume *no* 
> knowledge of the person, then if these typical measures fail as they 
> sometimes will, there's literally no way to safely recover the account, 
> even if the person shows up in person with ID.
>
> But in actual practice, we *do* tend to assume some binding to a person, 
> even if it's weak or implicit, and we do fall back to that if remote reset 
> doesn't work. We don't just throw away non-guest accounts and force 
> somebody to get a new one if they're an affiliate.
>
> But none of that is codified in Bronze. I guess the real underlying 
> question is whether it's enough to just say "reasonable care". I suspect 
> that's in keeping with the idea of an unaudited assurance level.
>
> -- Scott
>