InC-Student: Notes from 10/17/2008
------------------------------------------------
Andrea Beesing, Cornell
Joanne Berg, UWisc
Renee Frost, Internet2
Ken Klingenstein, Internet2
Nancy Krogh, Idaho
Charlie Leonhardt, Georgetown/PESC EA 2
Mark McConahay, Indiana
Angel Mennitto, Cornell
RL Bob Morgan, Washington
Karen Schultz, Penn State
Ken Servis, USC
Alan Walsh, Indiana
Ann West, Internet/EDUCAUSE (scribe)
Action Items
-----------------
- Charlie will talk to NSC CIO Doug Falk and Meteor Project Manager Tim Cameron as well as independent contractor Tim Bornholtz who's working on the NSC/Stanford Project, will find out more about their plans and report back to the group.
Next Call
------------
Next call is Friday November 14 at 3:00 pm Eastern.
Notes
--------
PESC EA2
Charlie discussed the history and role of the PESC EA2 group as a prelude to our disucssion about synergies between their activites and ours. EA2 was formed after the PESC Electronic Authentication Partnerhipmerged into the Liberty Alliance. A diverse group of government, higher ed and financial services, EA2's role is to enable broad electronic services between the sectors represented on the committee and higher education. Using AACRAO's and PESC's influence, the group will develop best practices and use cases, educate communities, and work on pilot projects in the student financial area.
PESC has lost a few financial members due to the industry's new found focus on basic business practices in lieu of technology standards. However, EA2 maybe able to play a role in educating and participating in best practices and modeling procedures, technologies, toolkits for the financial industry and get them interested again in our issues. One outcome, for instance, would be to bless the InCommon Federation and make an explicit statement of what constitutes level of assurance support (NIST or InCommon Silver or something else) to help standardize the authentication approach.
At a track session at the recent Internet2 Fall Member Meeting, Jack Suess CIO of UMD- Baltimore County reported that his registrar gave him a NSC contract to sign relating to levels of assurance that UMBC supports for student self-services access. The primary contract specifies NIST Level of Assurance (LoA) 1, but the Optional Addendum for Meteor Real-Time Loan Detail Access requires NIST LoA 2 and asks for information on the institution's identity processes. Nancy mentioned that NSC is requiring campuses to sign this new document by November 1 associated with the new support of student self services. NSC self-service applications are used by 500+ institutions, and the group speculated that campuses are signing this without full understanding of the requirements.
Bob mentioned that, in general, the NIST levels aren't very specific about what to do. InCommon Silver, however, is more prescriptive, and he recommended that PESC EA2 and this group work with NSC and Meteor on understanding and adoption of Silver. NIST, for instance, allows for self-assertion of LoA where InCommon Silver requires an audit to be performed before a campus is deemed compliant.
[AI] Charlie will talk to NSC CIO Doug Falk and Meteor Project Manager Tim Cameron as well as independent contractor Tim Bornholtz who's working on the NSC/Stanford Project and find out more about their plans and report back to the group. Will NSC, for instance, require all the institutions comply by December? However, the date is not as important as using it to educate the community about LoA.
NSC/Stanford and New Attributes
Bob reported out on his action item from the last call to talk with Tim Bornholtz and Bruce Vincent (Stanford) about a common understanding on the data definitions of student id and org id needed for the NSC/Stanford pilot. Bob summarized that using the PESC XML Transcript standard was considered a fine idea, and that Tim will talk to PESC about developing an extension to the document describing its use in a federated/SAML context. (Tim will contact XML Transcript author, Tom Stewart, about this.) Bob suggested that the process seems to be straightforward and that it would be a nice success to promote.
Educause Annual Conference
Like last year, it would be timely to have identity management topics on the agenda at the Educause Student Services CG and suggested the following items:
- Mark to lead a discussion on the upcoming Student Identity Life Cycle CAMP.
- Tom Black to discuss his work with NSC and possibly bring up the student/institutional identifier issue.
- Bob mentioned that it might be interesting to get the attendees feedback on outsourcing in the cloud. He had a discussion recently with a representative from Univ of Kentucky who, after looking for an outsourced enrollment management system, chose Hobsons. Is this common?
Privacy and International Relations
Ken K. gave an update on the international privacy discussions that have been occurring in other contexts.
- The privacy issues we've been discussing in the student space also apply with faculty and staff. However, these latter audiences don't have an equivalent of FERPA. What do we use for them?
- The EU has been discussing whether or not IP address should be considered PII. There are differences of opinion, but the gist is that unless you *know* that the IP address is not a one-to-one relationship, then it is PII.
- In talking further with the UK folks, there's disagreement on whether a court order should be required to release identity associated with opaque identifiers such as eduPersonTargetedId. Given the inconsistency across the international space, InC-Student will shelve this discussion until more concrete requirements are presented.
Ken K. also asked who decides which outside parties have reasonable academic-related needs and can receive protected identity information? This decisions tends to be reviewed and made by the registrar, but some fly under the radar --- there's no clear authority even if the institution has a privacy officer. It depends on the contract and negotiation process.
Red Flag Rule
Alan asked the group about the approach they are taking with the new Reg Flag requirements. In general, this is a bursar issue, but is coming to the attention of Registrars. For more information, refer to:
NACUBO article: http://www.nacubo.org/documents/business_topics/FTC%20Red%20Flags%20RULE.pdf
EDUCAUSE resource site: http://connect.educause.edu/term_view/ID+Theft+Red+Flags including a webcast on Wednesday October 22 from 2-3pm Eastern.