assurance - [Assurance] Monthly Assurance Call Focusing on Password Reset Topic: Wed. April 1, 2015 at noon ET, 0129048#
Subject: Assurance
List archive
[Assurance] Monthly Assurance Call Focusing on Password Reset Topic: Wed. April 1, 2015 at noon ET, 0129048#
Chronological Thread
- From: Emily Eisbruch <>
- To: "" <>
- Subject: [Assurance] Monthly Assurance Call Focusing on Password Reset Topic: Wed. April 1, 2015 at noon ET, 0129048#
- Date: Thu, 26 Mar 2015 12:35:43 +0000
- Accept-language: en-US
- Authentication-results: incommon.org; dkim=none (message not signed) header.d=none;
Greetings,
For reference, below Eric's January 2015 summary of an email thread on the password reset topic. Thank you and we look forward to your participation on the call. Emily ===================== FOR REFERENCE: EMAIL THREAD SUMMARIZED BY ERIC GOODMAN AS OF JAN. 2015 Hello and Happy New Year! At the end of last year I started a thread on the InCommon Participants mailing last year discussing account recovery/password reset and the Bronze IAP. It was pointed out (offline) that the InCommon Assurance mailing list is probably a more appropriate place for the discussion, so I’m posting a follow-up summary of that thread here instead of on the Participants list. My original message was asking about section 4.2.4.3 of the Bronze/Silver IAP. That section provides a list of approved password change methods, followed by the statement “if none of these methods is successful then the Subject must re-establish her or his identity with the IdPO per Section 4.2.2 before the Credential may be renewed or re-issued.” Because the section 4.2.2 applies only to Silver IAQ accounts, there’s ambiguity about what is acceptable for recovery of a Bronze IAQ account when the explicitly allowed mechanisms fail. In that thread, I asked for examples of processes campuses actually use to recovery Bronze IAQ accounts when the allowed methods in 4.2.4.3 fail, and specifically how campuses that have certified/self-asserted compliance with Bronze determined/justified that such processes met the IAP requirements in this section. There was a good theoretical discussion of the requirements -- and I did even get one response (off-list) with an actual Bronze process example :). Reading between the lines of the theoretical discussion, I want to make some concrete statements and see if they capture what people are thinking and doing: How people interpret the IAP requirements: · For Silver: The list of allowed methods in 4.2.4.3 combined with the identity proofing processes defined in 4.2.2 comprise a complete list of allowed password change methods. · For Bronze: The list of allowed methods in 4.2.4.3 provide an incomplete list of allowed password change methods. Other methods would be considered to be acceptable/compatible if they meet the general Bronze IAP criteria outlined in section 3.1 that: o “Assertions under this [Bronze] profile are likely to represent the same Subject each time a Subject identifier is provided” and o “it is expected that IdPOs use reasonable care when [re-]issuing Credentials to confirm that a single individual applies for and receives a given Credential and its Authentication Secret.” How people apply this requirement (for recovery of Bronze accounts): a) Users provide information that loosely (i.e., not Silver verified) binds their account to known, valid identity data. E.g., A user provides information that matches them to an employee or student record as part of creating/updating their account profile. b) Account operators presume that (unverified), completely self-asserted information registered by a user in their profile accurately describes the real world owner of the account. If either are true, then we can use whatever mechanisms we see as meeting the “reasonable care” guideline to verify a real life person’s identity against the (a) referred to source system record or (b) the (unverified) profile data registered on the account, to perform account recovery operations. Implications: · Account operators presume that people provide accurate information as part of their account profiles, even if there’s no mechanism whatsoever to positively validate that presumption. o E.g., if I registered an account using a fake name and other data, I wouldn’t be able to recover that account (if 4.2.4.3 methods fail), but some real person who happens to match the false information I provided could potentially take possession of the account. In this case, we fail the “it’s the same person each time” test, but arguably not in a way that violates the “reasonable care” metric. · For truly anonymous accounts (no name or other data that can be verified against externally), there is no recourse; if the 4.2.4.3 methods fail the account is forever unrecoverable. · It’s arguable that the additional processes (beyond 4.2.4.3) account operators use for of recovery Bronze accounts should (must?) be registered as Alternative Means with InCommon. o This contradicts the interpretation (above) that section 4.2.4.3 is an incomplete list of allowed methods for both Bronze. o Alternative Methods processes are likely similar enough across campuses that relatively few would need to be created to cover most use cases . Is this a reasonable summary of how people look at account recovery for Bronze accounts? Thanks for your time, especially if you’ve read this far! --- Eric Emily Eisbruch, Technology Transfer Analyst Internet2 office: +1-734-352-4996 | mobile +1-734-730-5749 |
- [Assurance] Monthly Assurance Call Focusing on Password Reset Topic: Wed. April 1, 2015 at noon ET, 0129048#, Emily Eisbruch, 03/26/2015
Archive powered by MHonArc 2.6.16.