Assurance

[Ann West <>]

Hi Mohammad,

You may want to check out the case studies and tools on the InCommon Assurance wiki. For instance, you’ll find a password tool which will help you determine which options you can set to achieve the required entropy. In particular, see the Community Contributions section. 

Regarding  your question number 5, 7.5 years is a requirement for Silver-level credential issuance record retention per the US Government. 

Best,

Ann

Ann West | Associate Vice President 

Trust and Identity | Internet2

475 17th St, Ste 1210 | Denver CO 80202 

W: 720.379.9666 | C: 906-370-9775

From: Mohammad Rahman <>
Date: Tuesday, July 7, 2015 at 8:17 AM
To: "" <>
Cc: Ann West <>, Chris Dowden <>, "R. Andrew Johnston" <>, Paul Caskey <>
Subject: Re: [Assurance] Re: Question for address of record for silver assurance

Hi All,

We have some query for silver certifications:

1. What should be minimum chars requirement for silver user password?  Is 12 chars minimum in any way a requirement?

2. Are there any crypto requirements we would have to make changes to meet?

3. Would we be required to have a method of detecting password guessing?

4. Is "password is never re-used" a requirement?

5. Is 7.5 years of "Credential Issuance Record Retention" a requirement?

Thanks,

Mohammad Rahman

On Wed, Jun 24, 2015 at 2:50 PM, Dunker, Mary <> wrote:

Mohammad,

As Ann indicated, your auditor should interpret the spec for you. During our in-person identity proofing process, if the address on the document the person presents to verify identity (for example, drivers' license) does not match the address in our system of record, we require the person to enter the password for the university account that controls their email.

I hope this helps.
Mary

-----------------------------------------------------------------
Mary Dunker
Director, Secure Enterprise Technology Initiatives
Virginia Tech Information Technology
1700 Pratt Drive
Blacksburg, VA 24060
540-231-9327

--------------------------------------------------------------------


-----Original Message-----
From: [mailto:] On Behalf Of Mohammad Rahman
Sent: Wednesday, June 24, 2015 2:35 PM
To:
Cc: Ann West; Chris Dowden; R. Andrew Johnston; Paul Caskey
Subject: Re: [Assurance] Re: Question for address of record for silver assurance

Hi Mary,


Thank you very much for quick response. What kind of evidence require to validate "the person being identity-proofed for Silver is in control of the university email address they supply"?


Best Regards,
Mohammad Rahman
CUIT

On Wed, Jun 24, 2015 at 1:55 PM, Dunker, Mary <> wrote:


        As part of Virginia Tech’s Silver identity proofing process, in order to use email as address of record, we require evidence/verification that the person being identity-proofed for Silver is in control of the university email address they supply.



        Mary





        -----------------------------------------------------------------

        Mary Dunker

        Director, Secure Enterprise Technology Initiatives

        Virginia Tech Information Technology

        1700 Pratt Drive

        Blacksburg, VA 24060

        540-231-9327

        <mailto:>

        --------------------------------------------------------------------



        From: [mailto:] On Behalf Of Mohammad Rahman
        Sent: Wednesday, June 24, 2015 10:02 AM
        To: Ann West
        Cc: Chris Dowden; R. Andrew Johnston; Paul Caskey;
        Subject: [Assurance] Re: Question for address of record for silver assurance



        Thank you very much Ann to clarify this issue and point us to right group of people who can help us.



        Assurance Team,



        Can you please verify details about "email address does qualify as address of record for some"?  Some include which group of people?

        Can email address verification be only process for address of record verification for silver assurance?

        For infrastructure requirement is there any documentation?





        Best Regards,



        Mohammad Rahman

        CUIT











        On Tue, Jun 23, 2015 at 5:10 PM, Ann West <> wrote:

        Hi Mohammad,



        Many thanks for you inquiry on InCommon Silver Assurance.



        The best place for getting advice on the interpretation of the Assurance requirements is from the campuses pursuing Assurance or those that have been certified. These folks can be contacted on the <mailto:>  email list.



        That said, email address does qualify as address of record for some. Given that your auditor will be reviewing your infrastructure, it’s key that you involve that person in the interpretation of the spec. For further information, I suggest you contact the list above.



        And yes, you can scope your Silver Assurance to a target audience, a specific authentication infrastructure or both.



        Best,

        Ann





        Ann West | Associate Vice President

        Trust and Identity | Internet2

        475 17th St, Ste 1210 | Denver CO 80202

        W: 720.379.9666 | C: 906-370-9775 <tel:906-370-9775>

        From: Mohammad Rahman <>
        Date: Wednesday, June 17, 2015 at 1:30 PM
        To: Ann West <>, Chris Dowden <>, "R. Andrew Johnston" <>
        Subject: Question for address of record for silver assurance



        Hi Ann,



        We are from Columbia University Information Technology (CUIT) working for Silver assurance. We have some questions regarding Silver assurance address of record.





        For Silver assurance is there a requirement to use a physical Address of Record? Is it possible to satisfy the Silver assurance requirements by using just an electronic Address of Record?



        Has "Silver credentials" issued to only employees?









        Thanks,

        Mohammad Rahman



        Sr. Application Systems Developer

        CU Information Technology

        Columbia University