Scribing Template --Tues., Nov 12, 2013 at 10:45am -- Santa Barbara
TOPIC: Remote Identity Proofing
CONVENER: Valter North (SUNET)valter at sunnet.se; farhansj at academicgrid.my
SCRIBE: Susan Neitsch
# of ATTENDEES:
MAIN ISSUES DISCUSSED:
Problems:
Distance Education students/Faculty in China that never lead China/Situations where you never meet people
Go over what they are doing in Sweden
scype - expensive to set up
upload scanned copy of photo ID to portal before call, also upload copy of utility bill. Once these two items are uploaded, then allow them to initiate call. Not verifying utility bill, don't have back channels for utility services in other countries. When talk in scype, hold up ID card for HeldDesk to compare to scanned copy. What is goal? match up to NIST LOA 2, or other concerns? We need higher level of assurance for people entering exams, id vet 'good enough' plus comply with international standards. Problem is with international students
CommIT: identity notaries, outsourcing identity vetting and replacing
Scype also offers physical verification, very close to being in person. Tying scype session to vetting, no just verifying id
trying to get absolute identity/real identity or just stop fraud (one person asserting they are several people) more toward real identity? already have working veriied email address as part of loa1 account. Try to get phone number.
Don't verify address from utility bill. ID address with utility bill address? passports don't have physical addresses. paying for course? CC that 'somoeone' is paying for. Bank account is acceptable as part of id verification. Paypal: deposit x number of cents in account and tell Paypal how many cents you deposited.
cc paying for course may be for someone other than the person taking the course,
hangup on address, verify address because that's in current model, but what does that give you? when you sign up for account - that's an individual; with address you're just trying to verify it is the same person in control; that it is whatthey listed on their dossier.
survey: distance education officers: found out that they didn't know what identity proofing was; thought letters from clergy/officials were adequate; only one univ that had outsourced to experian. Do worry about giving academic credit for courses to the real student and complying with FERPA, but . . .
Some universities setting up local vetters, but not globally scalable.
eduID: all universities given access to accounts, tie identity vetting to central swedish account
testing/cerification take biometric at time of in person event. ok with coherent structure, law exams/med exams this would work.
in scype session, give person credential; give code in session; save session? no record of test that has been applied? countries where scype not allowed? iterate
penn state: email to person, link unique to them valid for 7 days, take them through screens, name, id (sent in email) code, additional verification of zip code (sent in via application;what is zip code verified against international address checking data flex), agree to pann state policies (quizzes) - enter DOB as electronic signature (verify against DOB provided in application); establish three security Q&A; create PennState password. Account creation completed; confirmation email sent to but addresses.
we are all going to have to solve same identity vetting problem? solution built - allow other EU countries to use? global? eventually
have you looked at internationally, the top countries you are having to deal with? China, India, Pakistan, maybe federated identity vetting through their local federation.
Swedish service is open source, available for anyone to pick up
enough broader interest that can tap work done in all countries.
Each country is going to have something unique to that country (vetting options for person you are vetting)
advancement of web conferencing? if scype, google hangout won't work then will look at other options. Just need video
---
Malaysia: grid computing, CA service. have problems with new users who are not familiar with user certificate, need to perform id vetting for that person, or have them go to RA; they don't like, think it is troublesome. Would like to take advantage of identity federations. If user's certificate stolen, they need to communicate with home org rather than CA, have user information from face-to-face id vetting
verification is only for issuance event, how useful is that for use of certificate. Incident investigation. If you've relied on federation to id verification, how do you deal with incident handling?
Not only a federation issue. UK federation membership contract that IdPs will assist in incident investigation. What if IdP is one that learns there has been an incident? Are they obligated to notify SP they know that someone has used compromised account to access SP?No, open issue for InCommon too.
Commonly personnel in security different from personnel in identity.
TERENA task force also tackling this. LEGO talk to research projects- the RPs are surprised to learn IdPs not tracking or reporting compromises.
Does an IdP have to know every site a identity is used to access? in some situations, this information needs to obfuscated.
Need to balance International grid federation only requires that certificate is revoked, not that everyone is notified. be careful about raising the bar.
Incidence response needs to correlate to LOA. Higher security accounts - can expect more notifications,
keep archives of every ceritifcate that has been issued, receives PII as part of issuing certificate that is compromised.
Malaysia - mandatory id attributes released by IdPs so have that data to rely on 2pm discussion will continue.
interested to learn what barriers there are for IdPs to participate in incident response with SPs. offering trust elevation services for SPs. (multi-factor). Stepping stone for SPs.
perception issue as well: 'may have been a compromise here' SP starts receiving hundreds of them a day--restrict notifications to only known ABUSE of accounts
ACTIVITIES GOING FORWARD / NEXT STEPS:
If slides are used in the session, please ask presenters to convert their slides to PDF and email them to acamp-info@incommon.org