Versions Compared

Old Version 2

changes.mady.by.user Dean Woodbeck

Saved on

compared with

New Version 3

changes.mady.by.user Dean Woodbeck

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Identity Verification Process disclosure
  • Retain records of Id documents
  • And one or more of:
    •  Existing relationship with the IdP organization
    •  In-person proofing
    •  Remote proofing

There was some discussion in the area of identity proofing. Universities many times provide credential to students and faculty before they arrive on campus. One suggestion for that scenario is to assign those individuals a bronze or undefined level, then do more substantial identity proofing in person and reassign them to Silver, as appropriate. Another option is to implement a remote proofing process.

In terms of either in-person or remote proofing, the InCommon Silver proposal includes is a list of required information and is aligned with NIST 800-63-1 and eAuth. A Registering Authority is required to verify two forms of identification presented by an individual. This could include government-issued IDs, a credit card or proof of utility service.

...

  • Unique credential identifier (User ID)
  • Subject modifiable shared secret
  • Strong resistance to guessing shared secret
  • Stronger credentials are acceptable too

Regarding a "strong resistance to guessing shared secret," a NIST document provides a metric concerning how complicated a password must be to be prevented from being guessed. NIST provides an Excel spreadsheet that, after input of credential requirements (i.e. upper and lower case, numbers and letters, etc.), provides a numerical rating for the strength of the password.

Credential Issuance and Management

  • Unique Subject identifier
  • Credential status management
  • Confirmation of delivery
  • Credential verification at time of use
  • Suspected credential compromise
  • Credential revocation

In the case of suspected credential compromise, NIST locks out accounts. Universities typically do not want to do this, so some discussion in this area is required.

Security and Management of Authentication Events

...

  • Best of both worlds
  • PKI provides strong local authentication
  • Federation provides rich, flexible identity
    • Protects Subject privacy
    • Also solves the TA problem
  • PKI also supports S/MIME, signatures, data integrity, etc.

NIH Discussion

Debbie Bucci from the National Institutes for Health was at the session. She said that NIH is working to roll out applications that they are looking to federate. For example, a Sharepoint service for public information officers is expected to go live in May. The grant community is looking to federate with NIH and there are a number of Level 2 applications being developed.

...