InCommon Federation Discussions About Online Student Services

[Brendan Bellina <>]

I guess I should have read this a couple of weeks ago.

These links are great.

However, I am going to stand by my statement that it is always bad practice to make public your internal unique identifier. Email addresses are a perfect case in point. Email addresses are often name-based because of the desire for recognizability. Yet people change names, misspell names, abbreviate names, and sometimes just dislike their names. So systems that generate email addresses and use them as internal unique identifiers are forced for a variety of reasons to change those identifiers.  Names are also not unique and so uniqueness at institutions that generate a large number of these identifiers may require including something extraneous to ensure uniqueness, such as a fake middle initial or appending a digit or two. If those identifiers have been distributed publicly then those changes become a problem for both the user of the identifier and the services the identifier was provided to. Then, as a result, the system that generated the email address may have restrictions put upon it such as never reissuing an email address and/or maintaining the email address for life. They would not have been restricted in this fashion had they kept the internal unique identifier to themselves and distributed a different public identifier. If EDUCAUSE decides to rename itself IT4EDU then because your public identifier ends with @educause.edu they would have to go on supporting educause.edu identifiers for a very long time, possible forever.  Or they may want to change everyone's internal identifier to @it4edu.edu.  Both of these would be bad and unnecessary if the public email address were not also the internal unique id.

Second reason, identifiers are often assumed to be shared secrets. It is not enough to say they shouldn't be when we know very well that they are. This isn't a perfect world and it isn't going to be. If someone realizes that their public identifier is being used for authentication to some services and that it is known to others, then they may feel it is compromised and want it changed.  This is a request that you should be able to meet without changing your internal unique identifier and wreaking havoc on your IdM components.

Our systems need an internal unique identifier. Its purposes are not the same as a public identifier needed by a user of our systems. There is no valid reason to mix to requirements of the two, and doing so will lead to restrictions of the one applying to the other.  And in most cases the momentum will be with the public identifier because user complaints, spoken loudly and frequently or just whispered in the right ear, are the root cause of many a patch and hack in our already overcomplicated systems.

Regards,

Brendan Bellina

Identity Services Architect

Mgr, Enterprise Middleware Identity Management

Information Technology Services

University of Southern California

On Jan 11, 2011, at 5:32 AM, Rodney Petersen wrote:

Well, in some small measure it is because state or federal laws and regulation increasingly restrict its use.  There are a handful (3 or 4 states) that outright prohibit its use as an identifier for employees and students and others that restrict it from being printed on ID cards and require other steps to minimize abuse.  The State of California, at the mandate of its state legislature, recently concluded a study of the use of SSN’s at institutions of higher education (see http://www.privacy.ca.gov/res/docs/pdf/SSN%20Report%20FINAL.pdf).  There is increasingly pressure from the federal government to limit its non-official uses - see the recommendations of the President’s Task Force on Identity Theft (http://www.identitytheft.gov/) and the FTC’s Report on “Security in Numbers:  SSN’s and Identity Theft” (http://www.ftc.gov/os/2008/12/P075414ssnreport.pdf).  The 1998 FERPA rules also contain extensive commentary on the use and disclosure of SSN’s.

 

I have to disagree with Brendan’s observation “that it is always bad practice to make public your internal unique identifier” for precisely the reason that others have mentioned (i.e., a unique identifier should be accompanied by an act of authentication; there should be no harm if the unique identifier is known by others.  In some cases, the “identifier” (for login purposes) and email alias are one in the same (e.g.,  is both my email alias and directory ID).  That is why we argued for some flexibility in the 1998 FERPA rules to NOT treat identifiers (other than SSN’s) as non-directory information – i.e., arguing to the Department of Education that they should permit the sharing and disclosure of them without penalty, assuming the identifier alone does not provide access to FERPA-protected information.  I recognize that there is a difference of opinion in this approach which is why we took the position that there should be flexibility.

 

EDUCAUSE maintains a resource page on The Elimination of Social Security Numbers as Primary Identifiers at http://www.educause.edu/Resources/Browse/Elimination%20of%20Social%20Security%20Numbers%20as%20Primary%20Identifiers/33362

 

Thanks,

 

-Rodney

 

 

From:  [mailto:] On Behalf Of Keith Hazelton
Sent: Monday, January 10, 2011 7:48 AM
To: mace-dir; Valerie Vogel; InC-Student
Subject: [InC-Student] Why so much effort to minimize use of SSNs in the US?

 

I'm asking for a range of answers to the question "Why have we in the US spent so much time and resource into getting the SSN out of our systems and data files?"  I have recently seen opinions that it's really only because the SSN was used as part of an authentication solution.  It may seem obvious to some that there is more to it, but I'm asking you to state the various concerns that led us to push back so hard on their widespread use.

 

Why?  High-energy discussions around person identifiers are swirling around the US again.  A new push from several quarters for a "globally unique, persistent and portable identifier" is driving the discussion.  This is often jokingly introduced as "The SSN was perfect, but we can't use that, so..."

 

Help enrich the discussion by contributing your answers.  One place this will surface is on the InCommon, Internet2 and Educause-sponsored "IAM Online" series this Wednesday, Jan. 12 at 3:00 pm Eastern Standard Time, "A Panel Discussion about Persistent Identifiers for Education" (see http://www.incommon.org/iamonline/ for details).