NERCOMP: Identity Management SIG
September 27, 2005 | 38 Comments
Yesterday we attended the NERCOMP Identity Management Workshop at the College of the Holy Cross.
Steve Carmody of Brown University explained an ideal infrastructure including a reminder for me to review “Identifiers, Authentication, and Directories: Best Practices for Higher Education” by Internet2. Carmody had a lot of great things to say, giving a solid overall update of how Internet2 and MACE are coming along with Shibboleth, Grouper, Signet, and various other initiatives. He also pointed me at Sun’s XACML Implementation which is very interesting.
Christopher Misra of UMass Amherst and Robert Banz of UMBC both presented on their current IdM initiatives. They both seem to have established IdM infratructures which need one enhancement or another.
In the final time slot was a general group discussion. I took this opportunity to ask how schools are establishing and maintaining credentials remotely. No one had an answer that was ideal, I suggested our current proposal and no one seemed to have any criticisms. One person suggested that maybe we don’t need to have as secure a system as we’re proposing to merely secure someone’s email. My reply to this was in a federated world with connections to the federal PKI bridge, InCommon services, and more, we are securing far more than email. It is our responsibility to have as high a level of assurance as possible.
Tags: authentication, authorization, credentials, grouper, higher education, identity, identity management, internet2, MACE, NERCOMP, password, passwords, shib, shibboleth, signet, xacml
Assuring Identity Remotely
August 1, 2005 | 1 Comment
We are currently reassessing our credentialling process and in the course of my research here, I was reading Citizen & Commerce Certificate Policy Version 1.0 which states:
The identity may be established in any of the following manners:
(1) The identity may be established through in-person appearance at the credential provider, or its agent, with physical credentials (e.g., driver’s license or birth certificate). Collection of certified mail is one example of in-person appearance at an agent of the credential provider.
(2) The identity may be established using procedures similar to those used when applying for consumer credit and authenticated through information in consumer credit databases or government records, such as:
• the ability to place calls from or receive phone calls at a given number; or
• the ability to obtain mail sent to a known physical address.
(3) Where an ongoing business relationship with the credential provider or a partner company (e.g., a financial institution, airline, or retail company) exists, the identity may be authenticated through information derived from the business relationship such as:
• the ability to obtain mail at the billing address used in the business relationship; or
• verification of information established in previous transactions (e.g., previous order
number) ; or
• the ability to place calls from or receive phone calls at a phone number used in
previous business transactions.
The second option fits nicely in with a solution we are preparing to present for our campus and online education.
I’ll be posting more on this soon, for now we are calling our plan: “The Modified Tilley Hat Method”.
Tags: authorization, credentials, identity, identity management, level of assurance