Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Tue, 05 Jul 2011 23:39:02 +0100

On 05/07/2011 21:40, Ingrid Melve wrote:

Is there any way we can lower the price of the compliance projects? The
cries of pain we can live with, but the price and complexity of
compliance projects is hard. For IT security policy Uninett is running a
self-audit for universities, and this is working out pretty well

Exactly. Self compliance was one of the things I suggested in my email to Nicole. Heck, if the UK govt can rely on self compliance when handing out millions of pounds in government funding to universities, we can surely rely on self compliance when a university says, this is one of our students. (In fact the government funding is given because a university says "this is the number of students we have, so now give us the funding for each one.") So clearly each university in the UK knows which students it has at a sufficiently high of assurance to be paid for this information




I think many universities/colleges generally already do most of LOA2 for their "normal" 95% of users (standard staff/students), but meeting every single requirement in a demonstrable (to auditors) manner is where things get expensive.

Except where they are saving money by putting up self service
registration portals, or just decide to do stuff differently. Self
registration is a big thing, it seems to breed together with portals.
And then there are an increasing number of online students who never
turn up at campus.

My favorite binding-person-to-user-account story is from a small college
who said "they phone us, and then we realize that we know them or their
family", and we looked into the situation, where the statement turned
out to be true. If you speak Sami, you can have an account, because they
know who you are (or at least what family you come from). Does not
fulfill the letter of LoA2, but personal validation nevertheless.

And beyond that, when you start adding in the remaining 5% of users that most places have in their IDM/directories (a professor's visiting colleague from another institution who needed an account so we gave them one based on the say-so of the prof without checking their passport)... then life starts getting complicated and expensive.

We have found that the 5% of users who are corner cases make up 30-70%
of the user population before cleaning up campus IdM, and 25-40% after
spring cleaning is done. It never ceases to amaze me how seriously the
university take their responsibilities to include local enterprises (and
their staff), how many collaboration projects with foreign universities
there are, and how many students are floaters.



David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page:
Research Web site:
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5