Assurance Monthly Call – July 18, 2012
Keith Brautigam, Iowa
Jim Green, Michigan State
Ann West, InCommon/Internet2
David Bantz, Alaska
Mark Jones, UT Houston Health Sciences Center
Jim Green, Michigan State
John Krienke, InCommon/Internet2
Bill Weems, UT Houston Health Sciences Center
Mark Rank, UW Milwaukee
John Goodman, UW Milwaukee
Chris Spadanuda, UW Milwaukee.
Action Items
- Add your remote proofing use cases to the wiki: https://spaces.at.internet2.edu/x/PYPYAQ
- Nick will communicate the comments about the proposed remote proofing scenarios (video and notary) to the Big Ten auditors
- Ann will be asked to do the same to the InCommon
- Mary will distribute a draft of a mapping between the IAP and the EDUCAUSE Information Security Guide and ask for comments
Remote Proofing
CIC - Jim Green gave an update on the CIC Documentation work. Documenation will be similar across the instiuttions and if they work together, could share each other's documents and save some work. Putting documents in the Assurance Wiki - Documentation Examples. For every factor in IAP, examples of managemenr assertions and exampls of documents that support those management asertions. Work in progress. If you're interested in joining, let Jim know. jfgreen@msu.edu.
1.2 revision - would like to see the current
in-Person versus Remote Vetting
Mark Jones explained that notary is not remote vetting.
Proofing someone remotely or just remote proofing with the person remote but we're doing it. Doesn't seem to be remote proofing. Person is not at the same place as the verifier. Not a delegated in-person proofing.
1) would trust notary comply?
2) method of true remote proofing?
MIchael's is identity proofing and not suing the mechanism for remote proofing ala 800-63. Driver's license information checking.
Delegated access to remote proofing.
Outcomes
- Matrix of use cases vs techniques
- notary? UT or Nick?
Discussion of remote proofing use cases on the wiki: https://spaces.at.internet2.edu/x/PYPYAQ
Trusted agent
Notaries -
Remote folks in rural areas.
What are the In person use cases? There will be 3 buckets. Drivers license information and verying.
AI - Jim Green to ask if anyone is doing identity proofing by verying drivers license?
Doing criminl back ground checks? External entity could cover that.
Goal - Clarify as remote proofing.
Which methods work for what use cases.
Several seem to be missing:
- student accepted but not yet on campus
- faculty hired but not yet on campus
- work-at-home employees
(AI) Those who suggested use cases, please add to the wiki. If you don’t have edit access, email Dean (woodbeck@internet2.edu)
Discussion of the approaches proposed by Michael Gettes
Video approach - comments
- Is this overkill, or is this just a very detailed description with all of the steps for Silver?
- More convenient for a user than the notary approach
- Will holding an ID or document up to a camera pass muster for Silver? With auditors?
- Need another option if user’s bandwidth too low for video
- Driver’s licenses often have elements not visible with ambient light
But, Silver requires the presenting of a document, not vetting whether it is legitimate. Just checking, for instance, that the photo on the driver’s license matches the person presenting.
There was also discussion about the ease of forging documents to show on a video camera, and also the ease of spoofing an email address. It could be that, for video proofing, using an email address as address-of-record may not be allowable.
Suggestion to take the notary and video proposals to the InCommon TAC for review and comment.
Suggestion to ask TAC the question whether a notary is considered in-person proofing (just like campus proofing) or remote. Is the notary effectively an agent of the campus?
(AI) Nick will run these approaches and concerns past the Big Ten auditors.
(AI) Ask Ann to run these approaches and concerns past the TAC.
---
IAP/IAAF – Some had problems finding the latest versions of the 1.2 IAP and IAAF. It would be good to have the latest versions on the wiki, even if there is a note that they are still draft.
----
Mary is creating a cross-reference mapping between the IAP and the EDUCAUSE Information Security Guide (which has section on access control). The goal is to determine if there are sections of the guide that would be useful for institutions applying for Silver. Mary will send the document to the list for comment.