| On the InC-Student call Friday, the conversation was about the CommIT initiative. One issue that arose was that there should be recognition, and a stated policy, that CommIT is not intended to to unlock anything on its own and should not be published anywhere. Heidi Wachs of Georgetown said she would draft text to that effect. Below is her text, plus a response from Arnie Miles.
We're opening this to the list for discussion.
Dean Begin forwarded message: From: Arnie Miles <>
Subject: Re: Notes from call
Date: August 6, 2012 2:11:20 PM EDT
To: Heidi Wachs <>
Cc: Dean Woodbeck <>
One thing that we should tease out. CommIT offers a unique machine-readable identifier that students access by entering their usernames and passwords. That's what uniquely identifies a person to a service, and it can only be accessed by the user inputting their username and password. So, there's the machine-readable identifier and the user inputted credentials. To access the machine-readable identifier you have to plug in the username and password. We've been talking about making the machine readable portion privacy preserving, either by technology or by policy.
So, the machine-readable identity shouldn't be widely published. The username doesn't much matter. And, of course, the password is private.
Also, we're blurring the lines between authentication and authorization. Your first sentence should read something like: "The CommIT username alone should be valueless, and when combined with associated password should only be used for authentication, never for authorization." Service providers should allow users to present their CommIT username and password to access their CommIT machine readable id to authorize them to perform tasks at the services.
On Mon, Aug 6, 2012 at 1:42 PM, Heidi Wachs <> wrote:
Dean - thank you for capturing and sending the notes. This is the language I propose:
The CommIT ID should only be used for identification, never for authentication. The ID alone should not permit access to any records, files, or documents of record. Although the CommIT ID will be required for business functionality across institutions and third parties who participate in the CommIT ecosystem, the numbers should not be published anywhere (for example, in a campus directory). Access and use of the numbers should be restricted to a need-to-know basis. Business transactions based on the CommIT ID may only be initiated by the owner of the CommIT ID, as enforced by policy and, where possible, technical control.
On Fri, Aug 3, 2012 at 3:50 PM, Dean Woodbeck <> wrote:
--
Heidi L. Wachs, Esq.University Chief Privacy Officer & Director of IT Policy
Georgetown University Washington, DC
|
