Assurance

["Jones, Mark B" <>]

But Bronze does place specific restrictions on registration and identity
proofing under a specific circumstance.

In section 4.2.4.3 (which applies to Bronze explicitly) it states that
"After expiration of the current Credential, if none of these methods is
successful then the Subject must re-establish her or his identity with the
IdPO per Section 4.2.2 before the Credential may be renewed or re-issued."
This clearly says that if you want to be able to renew or re-issue a
credential after expiration and after all pre-registered recovery methods
fail, the institution must comply with the registration and identity
proofing as described in 4.2.2.  If an institution chooses not to comply
with 4.2.2 then that is a choice to not renew or re-issue expired
credentials unless they can be recovered using pre-registered methods.

> -----Original Message-----
> From: 
> 
>  [
> ]
>  On Behalf Of David Walker
> Sent: Monday, January 12, 2015 11:20 AM
> To: 
> 
> Subject: Re: [Assurance] Bronze password reset
> 
> +1
> 
> It seems to me that a lot of this discussion reflects a desire to codify
common
> community practice for identity proofing and account recovery that is not
> part of the set of Bronze requirements, but does address higher education
> business needs.  In that context, maybe we should focus on what that
> practice should be, knowing that Bronze doesn't place any specific
> restrictions on it.
> 
> David
> 
> On 01/12/2015 07:16 AM, Cantor, Scott wrote:
> >> I'm wondering now if the sort-of defacto industry standard of having
> >> a few pre-registered questions... your favorite color, name of your
> >> first pet, favorite relatives name, city where you were born...  is
that
> reasonable care?
> > Probably. But I think the underlying point is that if you assume *no*
> knowledge of the person, then if these typical measures fail as they
> sometimes will, there's literally no way to safely recover the account,
even if
> the person shows up in person with ID.
> >
> > But in actual practice, we *do* tend to assume some binding to a person,
> even if it's weak or implicit, and we do fall back to that if remote reset
> doesn't work. We don't just throw away non-guest accounts and force
> somebody to get a new one if they're an affiliate.
> >
> > But none of that is codified in Bronze. I guess the real underlying
question
> is whether it's enough to just say "reasonable care". I suspect that's in
> keeping with the idea of an unaudited assurance level.
> >
> > -- Scott
> >
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature