InCommon Federation Discussions About Online Student Services

[Ann West <>]

InC Student: Notes 1/25
-----------------------
Attending

Andrea Beesing, Cornell
Brendan Bellina, USC
Keith Hazelton, University of Wisconsin-Madison
Louis Hunt, North Carolina State
R.L. "Bob" Morgan, University of Washington
Mark Scheible, North Carolina State University
Renee Shuey, Penn State University
Ann West, Internet2/EDUCAUSE

-------------------
Action Items

(AI) Mark M, Ann, and Keith will craft a proposal for a session for the 
EDUCAUSE annual meeting in November.

(AI) On our next call, we'll talk about which path to take: Developing the 
M&M life cycle tool or developing practices/recommendations for distance ed 
students (remote IdM issues).

-------------------

Discussion of M&M Credential/Life Cycle Tool
The group discussed the proposal for developing a tool. In general, one would 
gather information about the risk, end user and action from the services 
owner, put that into the tool, and out spits  LoA/credential practices.

We don't want to make this prescriptive (there are reasons why one would want 
to make a business decision to use lower LoA credential to access a higher 
LoA application), but it would be a place to start. In reality, there's a gap 
between what you want and what you can provide, but at least you're aware of 
it. And you might implement some risk mitigation strategies as a transition 
path.

We need to start with capturing the criteria needed to make the risk 
decisions that then use that to drive the IdM/credentialling requirements.
What are the points to consider when assigning risk? We think of things like:
- liability
  - financial
  - legal
  - public relations/good will
  - et cetera

Holy Cow! This is sounding like OMB M-0404, the publication used by federal 
agencies to determine their application's risk level and how it maps to the 
NIST 4 levels of assurance. Is this what we're trying to write for HE? Can 
the risk criteria be normalized? Maybe not completely, but we can take a shot 
at it.

An Alternative: Looking at Distance Ed Students and Credentialing Issues

The group started talking about the scoping issues and project definition of 
the M&M proposal. But wait, another option might be to start back where we 
began and instead work on remote user/distance ed issues. This work might 
include:

- What approaches are being used (we could do a survey) now to address this 
issue and what are the gaps? Does AACRAO have any info on this?
- What are the practices for authn and remote test taking?
- What are the international issues?
- Could InCommon help? A possible outcome might be a proposal for federated 
Id Proofing.
- What stakeholders need to be involved? Risk management? Audit?
- Individuals now are used to dealing with services as a customer of apple, 
google etc. and the access there seems easy. Questions come up then about why 
is the enterprise/instiutitonal world different? Much education needs to be 
done on the issues of individual (google/facebook) identity versus enterrpise 
(Indiana Univeristy, Stanford University) approaches.

The reasons we might consider working on this topic instead includes:
- it's a known, concrete, understandable problem that many are grappling with 
right now
- we could develop recommendations/education materials more quickly, helping 
HE sooner (Shipping is a feature.)

[AI] On our next call, we'll talk about which path to take: Developing the 
M&M life cycle tool or developing practices/recommendations for distance ed 
students (remote IdM issues).



-- 
Ann West, Sr. Program Manager 
Internet2/InCommon/Michigan Tech 
 
 
office: +1.906.487.1726