InC-Student Notes from November 20, 2009
-------------------
Attending
Brendan Bellina, University of Southern California
Nancy Krogh, University of Idaho
Mark McConahay, Indiana University
Rodney Peterson, EDUCAUSE
Karen Schultz, Penn State University
Ken Servis, University of Southern California
Renee Shuey, Penn State University
Ann West, Internet2/EDUCAUSE
Dean Woodbeck, Internet2 (scribe)
-------------------
AACRAO Workshop
Mark McConahay and Karen Schultz have planning for the AACRAO workshop well in hand.
-------------------
EDUCAUSE Meeting Follow-up
Ken, Renee and Ardoth Hassler presented at EDUCAUSE on federating with NIH, NSF, and the Clearinghouse. It was not a large crowd, but the presentation went well.
The registrar constituent group had an interesting discussion about distance learning, how to identify distance learners and dealing with transfer credits.
Mark said that there was an overall impression that identity management had a much greater visibility in the past, with a greater presence in the administrative systems track, the Catalyst award, and the number of associated sessions. Many sessions that did not have IdM as the main topic had some mention of IdM.
One additional topic of interest was methods for confirming identities of remote users for examinations. Rodney said that new Department of Education regulations require that an institution have a plan or process for identifying such remote users.
-------------------
Student Life Cycle/LoA Grid
Much of the meeting was spent discussing the grid that Mark produced and distributed associating the student life cycle with the necessary levels of assurance. The spreadsheet is available under "working group documents" on the first page of the InC-Student wiki.
The grid includes NIST 800-63 levels, as well as InCommon standards. The concept is to develop a template that better prescribes accepted practices in terms of identity proofing, compliance and risks, and suggests additional resources and use cases. The origins for this came from the student life cycle model developed at Penn State.
Mark went though the rationale for the rows and columns and asked for feedback from the group. The outcomes of the discussion were:
- Authentication - Provide additional information about the authentication methods. UserID/password, for example, could mean temporary credentials, user-defined and supplied credentials, or credentials provided by the institution.
- Credential delivery - Provide additional details and/or more precise explanations.
- Compliance - Two major items are FERPA and HIPPAA
- Add column for campus policies. It would be useful to provide examples, such as a campus that starts applying FERPA at the time of application (which is not required) rather than the time of enrollment.
Mark reviewed the data included in each row. Moving from top to bottom on the grid takes you from very little assurance to higher levels of assurance.
- First row - don't know who the visitors are - relying on them to tell us that and also assuming that repeat visitors use the same set of credentials each time.
- Second row - there is some third-party evidence of identity (most common is a test score)
- Third row - increased assurance by using knowledge-based questions for identity.
- Fourth row - using a preponderance of evidence and institutionally defined credentials. Credential delivery becomes important (by encrypted email or postal service)
Suggestions included:
- Refer to "colleges and universities," rather than "universities."
- Where appropriate, include references and links in some of the cells
- Some of the rows are very similar - perhaps with only one cell containing different information. Collapse these rows and perhaps split that cell or have a branching point.
- Define where remote proofing by third-party vendors might fit (similar to how credit services perform this role).
Mark asked that folks review the chart on their own and email him comments or questions about the chart and recommendations related to today's discussion. He will work on a revision for the next call.
---------------
Next Call - Friday, December 11, 2009 - 4 p.m. EST / 3 p.m. CST / 1 p.m. PST