InC-Student: Notes from 10/2/2009

-------------------
Attending

John Borne, Louisiana State University
Karen Hanson, University of Wisconsin-Madison
Keith Hazleton, University of Wisconsin-Madison
Ann Hopkins, University of Washington
John Krienke, Internet2
Mark McConahay, Indiana University
RL "Bob" Morgan, University of Washington
LeRoy Rooker, AACRAO
Mark Scheible, North Carolina State University
Karen Schultz, Penn State University
Ken Servis, University of Southern California
Renee Shuey, Penn State University
Ann West, Internet2/EDUCAUSE
Dean Woodbeck, Internet2 (scribe)

-------------------
This week's call included guest LeRoy Rooker, a consultant to AACRAO and expert on FERPA. The call was to introduce LeRoy to InCommon and the Silver assurance profile.

Ann started the meeting by presenting her slides from this year's presentation at AACRAO Tech, including:

  1. Bedtime Story
  2. Problems federating is trying to address
    a. Substantial growth in the number of off-campus applications
    b. Verification of student identities
    c. Knowing who is eligible to access the service?
    d. Knowing whether a student is still actively enrolled
    e. Security and privacy of identity data
  3. "The challenging way" (i.e. non-federated) - interacting with each service provider separately with separate userIDs and passwords
  4. 4. "The federated way"
    a. The institution (IdP) does authentication
    b. Single sign-on for user
    c. Resource providers no longer manage user accts
    d. Reduced help-desk load
    e. Standards-based approach
  5. SAML and Shibboleth provide the standard
  6. Role of the federation
    a. Agreed-upon attribute vocabulary/definitions
    b. Criteria for IdM practices, privacy stewardship, interoperability standards, technologies
    c. Trusted "notary" for all universities and partners
    d. Trusted exchange of participant infoformation
  7. Federations - Who is using this approach?
    a. Higher education systems (University of TexasTexas, University of California, University of Maryland)
    b. Network providers (NJEdge, MCNC, Gt. Plains)
    c. Countries (UK, Swiss, Netherlands, Sweden, Norway, Denmark, etc.)
  8. Summary of federation characteristics
    a. Minimizes distribution of personally identifiable information
    b. Services are tied to role/affiliation
    c. Ease of use
    d. Time and money savings
    e. Student/user information is up-to-date, since it comes from the institution's identity management system
  9. InCommon
    a. Specifies the criteria used to assess the credential strength of IdPs
    b. Bronze and Silver (Provides initial practices for authentication
    c. Based on NIST 800-63

Bob further outlined the purpose of Silver - that it provides an affordable way to do identity management that meets the need of the federal government and other "vendors" in terms of access to higher-value, higher-risk applications.

Identity-proofing methods were discussed. Karen Schultz mentioned that it is relatively easy to identity-proof an individual who is physically located on campus, but much harder to do so for distance students. One example discussed was a requirement to provide a notarized copy of a drivers license; something that both students and help desks dislike.

Campuses also need to be more attuned to the concept of levels of assurance - that not everyone needs to be as rigorously identity-proofed as others (alumni, for example, may only need level 1, while students would need level 2).

Ann said that the InC-Student group is interested in LeRoy's insight on InCommon Silver and whether this identity assurance profile conforms to FERPA regulations, as well as his thoughts on the usefulness of promulgating Silver as a basic practice statement for campuses looking to do the right thing, in terms of identity management. For campuses interested in this as a best practice, the next challenge is convincing those that need to change their methods as to the benefits.

LeRoy commented that all of this reflects a huge issue on every campus. While the regulations in the NIST and OMB circulars can provide direction for institutions, there is no established specific standard. He also said that FERPA is technology neutral - it says you have to protect records, disclose such records only with consent and only to parties who need to receive that information. So, anything that can help with this process is good.

The group also has an interested in further discussion with LeRoy about the process of attribute release and its relationship with FERPA. Perhaps this could be the topic of a future call.

------
EDUCAUSE Annual Meeting

Ken Servis said the EDUCAUSE constituent group will have a lunch meeting - this usually has an open agenda. Likely topics include electronic transcripts and National Student Clearinghouse student self-service changes. There may be interest in working with AACRAO on adopting a standards level (such as Silver) that is compliant with FERPA.

-------
National Student Clearinghouse and Meteor

Bob reported on a call with the Clearinghouse and the Meteor project about assurance levels. They have a desire to establish standards for using student self-service access in the NSC - a lower-level standard for students just getting to their own information (NIST level 1 - InC Bronze) and a higher standard for accessing Meteor and student loan materials. Meteor is now pointing to the NIST document and that is confusing to campuses. They looked at Silver, but have the impression that it imposes too much. They weren't able to be specific, but will come back with specifics. In general, they seem enthusiastic to adopt a single standard.

-------
Next meeting - Friday, October 16, 3 p.m. EDT

  • No labels