UC Identity Management Conference Call
- 10/6/2004 - Notes
Participants
- Mike Baptista, UCOP
- Jacqueline Craig, UCOP
- Gabe Lawrence, UCSD
- Datta Mahabalagiri, UCLA
- Brian Roode, UCI
- Katya Sadovsky, UCI
- David Walker, UCOP
- Jerry Wilcox, UCOP
Multi-Factor Authentication for UCFY/YBO
We have reached consensus that we will have the Shibboleth entry to
UCFY prompt for additional information from the user, but that that information will be
something that a person will already know, such as zip code or birth
date; it will not be a password that must be remembered separately.
- The UCFY/YBO people will meet before the next conference call to
determine what information is available for this prompt.
- The reason for this is to implement a control that handles a) the
situation where someone has shared their password with someone else,
and b) to ensure the user's presence at the time UCFY is entered.
As we've experienced, it's not easy to balance this against
implementing a good user experience. (Or even know precisely how
users interpret "good;" they also want strong security.)
- We could have handled this with higher-level requirements on the
campuses, but this application requires higher assurance than most
other applications, so we don't want to set the bar this high for all
applications.
- San Diego is working on multiple assurance levels for their
authentication system; we can expect other campuses to do this,
too. As that is done, we will look for ways to assert the
assurance level through Shibboleth, and we will encourage application
service providers to make use of this information.
Policy Statement
Jacqueline's draft framework
was discussed. Everyone is asked to review it to ensure that
there's a place for everything that's needed and that what is said
won't cause undue operational difficulties. We will discuss this
further in our next conference call.
Schedule
We made a couple of small changes to the strawman schedule that was
included with the agenda for this
call; the modified schedule follows:
- Metadata Track
- Plan for UCTrust metadata dissemination - 11/3/2004
- Implement metadata dissemination - 12/1/2004
- Help Desk Track
- Resolution of help desk issues (referrals, etc.)
- 12/1/2004
- Policy Track
- First draft to the project team - 10/19/2004
- for discussion during the 10/20/2004 conference call
- Final draft to the ITLC - 11/17/2004
- Interim acceptance of policy draft - 12/1/2004
- Benefits Participating campuses (VCAs?)
- Begin UC-wide vetting process - 12/1/2004
- ITLC
- COVCA
- Controllers
- Risk Management
- Internal
Audit
- UCFY/YBO Track
- Finalize plan for multi-factor authentication for
UCFY/YBO/Shib - 10/20/2004
- Implement final UCFY/YBO/Shib interface - 11/17/2004
- Put UCFY/YBO/Shib interface into production - 12/8/2004
- (This needs to conform to standard UCFY/YBO
practice.)
Everyone has until Friday, 10/8/2004,
to raise any issues with this schedule. After that, everyone will
be expected to do their work on time.
We need someone to take ownership of the metadata track. I will
be seeking "volunteers."
Next Call
The next call will be Wednesday, 10/20/2004:
Date
and Time: Wednesday, 10/20/2004, 9:00a-10:00a
Call-in Number: 866-740-1260
Access
Code: 9870500
David
Walker - 10/6/2004