PIV-I Enrollment for Educational Institutions Use Case: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
(added definition of PIV-I and what it's used for to the introduction)
 
m (40 revisions imported: Initial Upload of old pages from IDESG Wiki)
 
(11 intermediate revisions by one other user not shown)
Line 1: Line 1:
'''Title''':  
'''What is the PIV-I?''':  
"Personal Identity Verification - Interoperable" -- is "a physical card that is used to do things like enter a building or make secure computing happen on a computer, and the  
"Personal Identity Verification - Interoperable" -- is "a physical card with up to four data stores or sharing tools:  an RFID card, a bar code, a QR code and/or a mag stripe, as well as a photo and verbiage that might include the person's name, institution or affiliation, and location of the institution. It is issued by entities like government agencies to employees or educational institutions to students, and is used to do things like enter a building or make secure computing happen on a computer, register for classes or get health services, and the "I" is the interoperable version of this card."  It is an electronic credential enrollment in an Institution of higher learning (accredited institutions) setting. The card would establish a person’s electronic credentials, bind intrinsic or extrinsic attributes to an electronic credential, authenticate a person, authenticate a person at a website, authenticate a person at an organization, authenticate a person for remote high value transactions.
"I" is the interoperable version of this card."  It is an electronic credential enrollment in an Institution of higher learning (accredited institutions) setting. Establish a person’s electronic credential, Bind intrinsic or extrinsic attribute to an electronic credential, Authenticate person, Authenticate website, Authenticate organization, Remote high value transaction,
<br />
<br />
<br>
'''Use Case Description''':  
'''Use Case Description''':  
This use case describes an educatinal institution as a PIV-I Electronic Credential Provider<br /> <br />
This use case describes an educational institution as a PIV-I Electronic Credential Provider to students, employees and staff, researchers, professors etc.<br /> <br />
'''Use Case Category''': Trust/Assurance, Authentication, Interoperability, Privacy
'''Use Case Category''': Trust/Assurance, Authentication, Interoperability, Privacy


Line 12: Line 12:
<br />
<br />


'''Use Case:''' Enrollment of a person, Establish a person’s electronic credential, Bind intrinsic or extrinsic attribute to an electronic credential, Authenticate person, Authenticate website, Authenticate organization, Remote high value transaction,
'''Use Case:''' The card would establish a person’s electronic credentials, bind intrinsic or extrinsic attributes to an electronic credential, authenticate a person, authenticate a person at a website, authenticate a person at an organization, authenticate a person for remote high value transactions.


'''Category:''' Trust/Assurance, Authentication, Interoperability, Privacy
'''Category:''' Trust/Assurance, Authentication, Interoperability, Privacy


'''Actors:'''
'''Actors:'''
* [[Educational institution]] as an electronic credential provider;  
* [[Educational institution]] as an electronic credential provider;
* [[Educational institution]] as a relying party ;
* [[Applicant]] who desires to acquire an electronic credential;  
* [[Applicant]] who desires to acquire an electronic credential;  
* [[Subscriber]] who has successfully been issued an electronic credential;  
* [[Subscriber]] who has successfully been issued an electronic credential;  
* [[Claimant]] who desires to assert a claim against the electronic credential.


'''Goals:''' Tim’s educational institution wants to offer Tim an electronic credential. (''Based on NIST Updated E-Guidance'')
'''Goals:''' Mariella’s educational institution wants to offer Mariella an electronic credential. (''Based on NIST Updated E-Guidance'')


*Provides an electronic credential that could be trusted by government relying parties at LOA3 and or other relying parties at equal or lower levels of assurance.
* Provides an electronic credential that could be trusted by government relying parties at LOA3 and or other relying parties at equal or lower levels of assurance.
*Electronic Credential can be trusted for strong authentication and used in physical access decisions as well as logical access decisions.
* Electronic Credential can be trusted for strong authentication and used in physical access decisions as well as logical access decisions.
*Provides strong digital signing for online document submission and critical version control functions when Universities are collaborating on work product.
* Provides strong digital signing for online document submission and critical version control functions when Universities are collaborating on work product.
*Student could attach a branded electronic wallet to facilitate meal funding on campus and a number of other online transactions that could potentially extend off campus.
* Student (Mariella) could attach a branded electronic wallet to facilitate meal funding on campus and a number of other online transactions that could potentially extend off campus.
*The PIV-I provides the initial trust framework needed to create derived certificates from the electronic credential so that electronic credential could be extended to multiple devices and controlled by the Subscriber.
* The PIV-I provides the initial trust framework needed to create derived certificates from the electronic credential so that electronic credential could be extended to multiple devices and controlled by the Subscriber.




'''Assumptions:''' The educational institution in this use case is an accredited instituion of higher learning. Tim’s Educational institution has contracted with a certified personal identity verification interoperable (PIV-I) issuer or has certified to be a personal identity verification interoperable (PIV-I) issuer. PIV-I electronic credential is issued as consistent as possible with FIPS 201 and NIST 800-63 and as described in NIST Updated E-Authentication Guidance. Applicant can successfully satisfy applicable vetting and enrollment requirements; Applicant has completed and satisfied some sort of electronic credential enrollment application;
'''Assumptions:''' The educational institution in this use case is an accredited instituion of higher learning. Mariella's Educational institution has contracted with a certified personal identity verification interoperable (PIV-I) issuer or has certified to be a personal identity verification interoperable (PIV-I) issuer. PIV-I electronic credential is issued as consistent as possible with FIPS 201 and NIST 800-63 and as described in NIST Updated E-Authentication Guidance. Applicant can successfully satisfy applicable vetting and enrollment requirements; Applicant has completed and satisfied some sort of electronic credential enrollment application;


'''Requirements:''' Subscriber has had a relationship in good standing with the institution for at least 1 year or can meet in-person, vetting, and enrollment requirements. (''Described in NIST Updated E-Authentication Guidance'')
'''Requirements:''' Subscriber has had a relationship in good standing with the institution for at least 1 year or can meet in-person, vetting, and enrollment requirements. (''Described in NIST Updated E-Authentication Guidance'')


'''Process Flow:''' ''New in-person Student Enrollment''- The Applicant (may be a new student) wishes to apply in person for an electronic credential that can provide strong three factor authentication and is trusted for high assurance transactions/interactions with the educational institution via the internet or on campus. The enrollment process binds an intrinsic attribute (biometric) to the electronic credential and allows secure access to the attribute if required for extremely high value access decisions. In addition to providing the third factor for authorization decisions, the binding of the intrinsic attribute (biometric) to the electronic credential during enrollment provides repudiation in the event the Educational Institution needs to prove the Subscriber and the Applicant were indeed the same person. The Educational Institution's representative scans the appropriate documents, scans the applicant’s finger prints and captures a photo with an enrollment station. The enrollment station then encodes, activates and prints the photo on the credential. Process for transmitting and storing the data including encryption methods are defined in applicable standards.
'''Process Flow:''' ''New in-person Student Enrollment''- The Applicant (Mariella -- who may be a new student) wishes to apply in person for an electronic credential that can provide strong three factor authentication and is trusted for high assurance transactions/interactions with the educational institution via the internet or on campus. The enrollment process binds an intrinsic attribute (biometric) to the electronic credential and allows secure access to the attribute if required for extremely high value access decisions. In addition to providing the third factor for authorization decisions, the binding of the intrinsic attribute (biometric) to the electronic credential during enrollment provides repudiation in the event the Educational Institution needs to prove the Subscriber and the Applicant were indeed the same person. The Educational Institution's representative scans the appropriate documents, scans Mariella’s finger prints and captures a photo of her with an enrollment station. The enrollment station then encodes, activates and prints the photo on the credential. Process for transmitting and storing the data including encryption methods are defined in applicable standards.


''Existing Students''- An existing student (''Applicant''), who meets the minimum requirements, wishes to apply for an electronic credential that is trusted for high assurance transactions/interactions with the educatinal institution via the internet or on campus. The Subscriber completes the electronic credential application and returns it to their Educational Institution. The Educational institution confirms the applicant’s information and securly forwards the applicable information to a fulfillment house where the electronic credential is encoded but not activated. The elecrtonic credential is then sent to the address of record of the Subscriber. Upon receipt, the Subscriber confirms he or she is the proper individual to activate the electronic credential. The electronic credential is activated. ''Based on NIST Updated E-Authentication Guidance, an existing student who is issued a PIV-I "like" credential in this manner is capable of reaching level 3 assurance transactions/interactions. The activation of the electronic credential is done much like the financial industry activates pin debit cards in today's environment.
''Existing Students''- An existing student, Mariella (''Applicant''), who meets the minimum requirements, wishes to apply for an electronic credential that is trusted for high assurance transactions/interactions with the educatinal institution via the internet or on campus. The Subscriber completes the electronic credential application and returns it to their Educational Institution. The Educational institution confirms the applicant’s information and securly forwards the applicable information to a fulfillment house where the electronic credential is encoded but not activated. The elecrtonic credential is then sent to the address of record of the Subscriber. Upon receipt, the Subscriber confirms he or she is the proper individual to activate the electronic credential. The electronic credential is activated. ''Based on NIST Updated E-Authentication Guidance, an existing student who is issued a PIV-I "like" credential in this manner is capable of reaching level 3 assurance transactions/interactions. The activation of the electronic credential is done much like the financial industry activates pin debit cards in today's environment.




Line 63: Line 61:
* Educational Institution can’t authenticate the Claimant – Send error message and terminate connection
* Educational Institution can’t authenticate the Claimant – Send error message and terminate connection
* Claimant can’t authenticate the Educational Institution – error message and terminate connection
* Claimant can’t authenticate the Educational Institution – error message and terminate connection
'''Risks'''
* PIV-I Card is overused in situations it was not meant for based on original scope.
* PIV-I Card is used to share information collected beyond the original scope of the card mission.
* PIV-I Card could disclose information the person didn't want to disclose.
* PIV-I Card could associate medial information onto the card, in violation of HIPPA rules.
<br />
<br />
=== Relationships ===
=== Relationships ===
Line 75: Line 80:
* [File:https://www.idecosystem.org/wiki/File:PIV_and_related_standards.jpg]
* [File:https://www.idecosystem.org/wiki/File:PIV_and_related_standards.jpg]
<br />
<br />


[[Category:Enrollment Use Cases]]
[[Category:Enrollment Use Cases]]
[[Category:Use Cases]]
[[Category:Use Cases]]

Latest revision as of 04:02, 28 June 2018

What is the PIV-I?: "Personal Identity Verification - Interoperable" -- is "a physical card with up to four data stores or sharing tools: an RFID card, a bar code, a QR code and/or a mag stripe, as well as a photo and verbiage that might include the person's name, institution or affiliation, and location of the institution. It is issued by entities like government agencies to employees or educational institutions to students, and is used to do things like enter a building or make secure computing happen on a computer, register for classes or get health services, and the "I" is the interoperable version of this card." It is an electronic credential enrollment in an Institution of higher learning (accredited institutions) setting. The card would establish a person’s electronic credentials, bind intrinsic or extrinsic attributes to an electronic credential, authenticate a person, authenticate a person at a website, authenticate a person at an organization, authenticate a person for remote high value transactions.

Use Case Description: This use case describes an educational institution as a PIV-I Electronic Credential Provider to students, employees and staff, researchers, professors etc.

Use Case Category: Trust/Assurance, Authentication, Interoperability, Privacy


Contributor: Bryan Russell (bryan.russell@xtec.com)


Use Case: The card would establish a person’s electronic credentials, bind intrinsic or extrinsic attributes to an electronic credential, authenticate a person, authenticate a person at a website, authenticate a person at an organization, authenticate a person for remote high value transactions.

Category: Trust/Assurance, Authentication, Interoperability, Privacy

Actors:

Goals: Mariella’s educational institution wants to offer Mariella an electronic credential. (Based on NIST Updated E-Guidance)

  • Provides an electronic credential that could be trusted by government relying parties at LOA3 and or other relying parties at equal or lower levels of assurance.
  • Electronic Credential can be trusted for strong authentication and used in physical access decisions as well as logical access decisions.
  • Provides strong digital signing for online document submission and critical version control functions when Universities are collaborating on work product.
  • Student (Mariella) could attach a branded electronic wallet to facilitate meal funding on campus and a number of other online transactions that could potentially extend off campus.
  • The PIV-I provides the initial trust framework needed to create derived certificates from the electronic credential so that electronic credential could be extended to multiple devices and controlled by the Subscriber.


Assumptions: The educational institution in this use case is an accredited instituion of higher learning. Mariella's Educational institution has contracted with a certified personal identity verification interoperable (PIV-I) issuer or has certified to be a personal identity verification interoperable (PIV-I) issuer. PIV-I electronic credential is issued as consistent as possible with FIPS 201 and NIST 800-63 and as described in NIST Updated E-Authentication Guidance. Applicant can successfully satisfy applicable vetting and enrollment requirements; Applicant has completed and satisfied some sort of electronic credential enrollment application;

Requirements: Subscriber has had a relationship in good standing with the institution for at least 1 year or can meet in-person, vetting, and enrollment requirements. (Described in NIST Updated E-Authentication Guidance)

Process Flow: New in-person Student Enrollment- The Applicant (Mariella -- who may be a new student) wishes to apply in person for an electronic credential that can provide strong three factor authentication and is trusted for high assurance transactions/interactions with the educational institution via the internet or on campus. The enrollment process binds an intrinsic attribute (biometric) to the electronic credential and allows secure access to the attribute if required for extremely high value access decisions. In addition to providing the third factor for authorization decisions, the binding of the intrinsic attribute (biometric) to the electronic credential during enrollment provides repudiation in the event the Educational Institution needs to prove the Subscriber and the Applicant were indeed the same person. The Educational Institution's representative scans the appropriate documents, scans Mariella’s finger prints and captures a photo of her with an enrollment station. The enrollment station then encodes, activates and prints the photo on the credential. Process for transmitting and storing the data including encryption methods are defined in applicable standards.

Existing Students- An existing student, Mariella (Applicant), who meets the minimum requirements, wishes to apply for an electronic credential that is trusted for high assurance transactions/interactions with the educatinal institution via the internet or on campus. The Subscriber completes the electronic credential application and returns it to their Educational Institution. The Educational institution confirms the applicant’s information and securly forwards the applicable information to a fulfillment house where the electronic credential is encoded but not activated. The elecrtonic credential is then sent to the address of record of the Subscriber. Upon receipt, the Subscriber confirms he or she is the proper individual to activate the electronic credential. The electronic credential is activated. Based on NIST Updated E-Authentication Guidance, an existing student who is issued a PIV-I "like" credential in this manner is capable of reaching level 3 assurance transactions/interactions. The activation of the electronic credential is done much like the financial industry activates pin debit cards in today's environment.


Success Scenario:

  • Applicant applies for an electronic credential
  • Applicant satisfies vetting and enrollment requirements
  • Applicant obtains electronic credential in person or through the mail
  • Electronic credential is activated
  • Subscriber utilizes the electronic credential to remotely connect to the Educational Institutions web services over the internet to access protected resources.
  • Claimant is authenticated by Educational Institution utilizing two factor authentications. (hard token, pin number) (the biometric may be presented representing the third authentication factor for high value authentication decisions)
  • Educational Institution web services authenticated by claimant
  • Encrypted web session is established between parties
  • Claimant requests access to protected resources
  • Claimant desires to make changes to the protected resource
  • Claimant signs the changes with a digital signature produced from the electronic credential
  • Changes are logged

Error Conditions:

  • Applicants fingerprints can’t be captured during in-person enrollment – enrollment continues utilizing applicable documents and vetting procedures. Note: may reduce trust to LOA3
  • Subscriber’s operating system does not support PIV-I encryption – Microsoft Window XP, Windows Vista, and Windows 7 can be updated to support PIV-I encryption
  • Subscribers PC does not have a smartcard reader – Subscriber could utilize a USB smartcard reader, many of the newer machines have a smartcard reader built in or can be added. In addition, PIV-I "like" electronic credentials can come in many form factors (smartcard, smart phone, USB, Tablet, IPad, etc.)
  • Claimant impersonates another individual to obtain an electronic credential –utilize strong vetting, issuance and activation standards
  • Internet is not available - ???
  • Educational Institution can’t authenticate the Claimant – Send error message and terminate connection
  • Claimant can’t authenticate the Educational Institution – error message and terminate connection

Risks

  • PIV-I Card is overused in situations it was not meant for based on original scope.
  • PIV-I Card is used to share information collected beyond the original scope of the card mission.
  • PIV-I Card could disclose information the person didn't want to disclose.
  • PIV-I Card could associate medial information onto the card, in violation of HIPPA rules.


Relationships

  • Extended by:
  • Extension of:

References and Citations