InCommon Federation Discussions About Online Student Services

[Ann West <>]

All,

Below are Karen S's comments on the notes/discussion from the last call. 

Ann

---snip---
I think focusing on issuing credentials for distance students is an excellent 
idea.  As was apparently mentioned last Friday, this is an issue that we are 
all struggling with right now and where we could use some concrete solutions.
And I'd like to throw out an idea.  Perhaps we should look at the banking 
industry for possible models.  I hear people commenting frequently that they 
don't have to jump through this many hoops to get an account at an internet 
bank, so why should they have to at an IHE?  Maybe the banking industry has 
solved this.  
---snip---

Karen Schultz
University Registrar
Penn State University
114 Shields Building
University Park, PA 16802
(814) 863-3681   


-----Original Message-----
From: Ann West [] 
Sent: Monday, January 25, 2010 4:50 PM
To: InC-Student
Subject: [InC-Student] Notes from 1/25

InC Student: Notes 1/25
-----------------------
Attending

Andrea Beesing, Cornell
Brendan Bellina, USC
Keith Hazelton, University of Wisconsin-Madison
Louis Hunt, North Carolina State
R.L. "Bob" Morgan, University of Washington
Mark Scheible, North Carolina State University
Renee Shuey, Penn State University
Ann West, Internet2/EDUCAUSE

-------------------
Action Items

(AI) Mark M, Ann, and Keith will craft a proposal for a session for the 
EDUCAUSE annual meeting in November.

(AI) On our next call, we'll talk about which path to take: Developing the 
M&M life cycle tool or developing practices/recommendations for distance ed 
students (remote IdM issues).

-------------------

Discussion of M&M Credential/Life Cycle Tool
The group discussed the proposal for developing a tool. In general, one would 
gather information about the risk, end user and action from the services 
owner, put that into the tool, and out spits  LoA/credential practices.

We don't want to make this prescriptive (there are reasons why one would want 
to make a business decision to use lower LoA credential to access a higher 
LoA application), but it would be a place to start. In reality, there's a gap 
between what you want and what you can provide, but at least you're aware of 
it. And you might implement some risk mitigation strategies as a transition 
path.

We need to start with capturing the criteria needed to make the risk 
decisions that then use that to drive the IdM/credentialling requirements.
What are the points to consider when assigning risk? We think of things like:
- liability
  - financial
  - legal
  - public relations/good will
  - et cetera

Holy Cow! This is sounding like OMB M-0404, the publication used by federal 
agencies to determine their application's risk level and how it maps to the 
NIST 4 levels of assurance. Is this what we're trying to write for HE? Can 
the risk criteria be normalized? Maybe not completely, but we can take a shot 
at it.

An Alternative: Looking at Distance Ed Students and Credentialing Issues

The group started talking about the scoping issues and project definition of 
the M&M proposal. But wait, another option might be to start back where we 
began and instead work on remote user/distance ed issues. This work might 
include:

- What approaches are being used (we could do a survey) now to address this 
issue and what are the gaps? Does AACRAO have any info on this?
- What are the practices for authn and remote test taking?
- What are the international issues?
- Could InCommon help? A possible outcome might be a proposal for federated 
Id Proofing.
- What stakeholders need to be involved? Risk management? Audit?
- Individuals now are used to dealing with services as a customer of apple, 
google etc. and the access there seems easy. Questions come up then about why 
is the enterprise/instiutitonal world different? Much education needs to be 
done on the issues of individual (google/facebook) identity versus enterrpise 
(Indiana Univeristy, Stanford University) approaches.

The reasons we might consider working on this topic instead includes:
- it's a known, concrete, understandable problem that many are grappling with 
right now
- we could develop recommendations/education materials more quickly, helping 
HE sooner (Shipping is a feature.)

[AI] On our next call, we'll talk about which path to take: Developing the 
M&M life cycle tool or developing practices/recommendations for distance ed 
students (remote IdM issues).



-- 
Ann West, Sr. Program Manager 
Internet2/InCommon/Michigan Tech 
 
 
office: +1.906.487.1726 


-- 
Ann West, Sr. Program Manager 
Internet2/InCommon/Michigan Tech 
 
 
office: +1.906.487.1726