InC-Student: Notes from 12/18/2009
-------------------
Attending
Keith Hazelton, University of Wisconsin-Madison
Scotty Logan, Stanford University
Mark McConahay, Indiana University
R.L. "Bob" Morgan, University of Washington
Rodney Peterson, EDUCAUSE
Mark Scheible, North Carolina State University
Renee Shuey, Penn State University
Ann West, Internet2/EDUCAUSE
Dean Woodbeck, Internet2 (scribe)
-------------------
Action Items
(AI) Mark M, Ann, and Keith will craft a proposal for a session for the EDUCAUSE annual meeting in November.
(AI) Mark will go through the grid and move some items from the "identity proofing" column to the "vetting" column. He will also work in the applicable concepts from Penn State's draft risk assessment table.
-------------------
Announcements
Keith announced that the University of Wisconsin system has a Shib 2.0 IdPs for all campuses in the state system (all except Milwaukee and Whitewater are hosted at Madison).
-------------------
EDUCAUSE Annual Proposals - due Jan. 26
There was a suggestion to submit a proposal for the 2010 EDUCAUSE annual meeting (November 2010), based on Mark's LoA grid work. The consensus was that things should be far enough along in November to warrant a presentation. (AI) Mark M, Ann, and Keith will craft a proposal.
-------------------
Grid, the Sequel
Mark made changes to the grid, based on the notes from the last meeting - collapsing some rows, embedding links, and adding two columns ("Remote Access Only and LoA). He also brought in the idea of using a third-party vendor or a federated partner for remote identity proofing.
Though the discussion, it seems that some of the items under "identity proofing" should be in the "vetting column." (Vetting is verifying that this person exists in the world. Proofing binds a person to a record of information.)
(AI) Mark will go through the grid and make those changes.
Mark also noted that truly in-person proofing doesn't happen until the items below the thick horizontal line in the grid.
There was a discussion about not thinking about LoA in too rigid of a way.
Renee Shuey discussed a project at Penn State that has grown out of the student life cycle work. They discovered that the level of assurance associated with a person's affiliation (or where they are on the life cycle) doesn't necessarily correlate to the risk level of the applications that they are using . For example, the SP may want the IdP to perform a lot of the assurance work, but ultimately has the choice to accept lower level credentials and assume the related risk.She shared a draft of a table under development that displays the perceived risk for various student services at Penn State.
Penn State is working toward a central person registry system that contains identity and related process information and stores data such as a credentials assessed level of assurance. The service provider determines where its application falls on the risk continuum and requires that only credentials that adhere to a certain set of assurance requirements be used to access their service. In addition, financial aid, for example, could collect additional information from an individual, allowing them to move to a higher LoA, and work with on-campus registration authorities to make that happen. So, even though a student may be at "level 1" on the student life cycle chart, that person could move up the LoA scale when some on-campus service provider collects relevant additional information.
Renee reiterated that it is the service provider that makes the decision about when they will assume additional risk and the additional data they would need to take that risk.
There was also a discussion that there may be different gradations of level 1, say, as a student progresses toward level 2. So level 1.6 or 1.7 might require certain additional requirements than level 1.0.
An example is a prospective student that wants to submit additional financial data so they can find out exactly what their financial aid will be and, thus, their cost to attend. Even though a typical prospective student may be at LoA 0, they achieve a higher LoA because of the service they want to take advantage of.
(AI) Mark will work the concepts of Renee's risk assessment table into his grid.
-------------------
Remote Identity Proofing
Items for future agendas:
Is it sufficient remote proofing for Silver if you accept the appropriate notarized documents through the US Mail?
What about using third-party vendors or other universities for remote proofing.
Highlight areas in which we need an external resource to do identity proofing (for example, for distance education or a case in which applicants need a higher LoA).
Next Call - Friday, January 8, 2009 - 4 p.m. EST / 3 p.m. CST / 1 p.m. PST