Educause Security Discussion mailing list archives
Re: Identifiers on ID Cards
From: "David L. Wasley" <dlwasley () EARTHLINK NET>
Date: Fri, 16 Dec 2005 11:44:09 -0800
Well, if you're going to reissue a credential with the same identifier, you will require some way to invalidate the prior, stolen credential. PKI offers that function but it also requires some infrastructure to support checking. :-/ When I was working on this, I felt that no identifier issued for another purpose should be used, e.g. SSN or student ID or email address. It creates an interdependency between two functions that could cause problems if it is necessary to change the binding between that identifier and the physical person. Instead, I proposed "a unique (integer or string) identifier that would link to a database entry for the subject and never be re-issued to a different physical person." That identifier need never change unless it becomes compromised. Meanwhile, every other piece of information about the subject could change and the credential would still be valid. If the identifier were to become compromised, e.g. the credential containing it was stolen or lost, a new identifier could be created for that physical person, pointing to the same data, and a new credential issued. (Of course, with PKI one could simply invalidate the old credential and reissue one with the same identifier ;-) ) David ----- At 9:19 AM -0800 on 12/16/05, Karen Eft wrote:
Dave, I'm not aware of existing policy here on this point, but I really like your suggested principle of "encoding with an identifier that is re-issuable". If I confirm that this is not already included in our policy/guidelines somewhere, I'm going to see about adding it. --Karen On Dec 15, 2005, at 11:46 AM, Dave Huth wrote:I'm wanting to learn more about best practices associated with what type of identifiers to encode on ID Cards. There doesn't seem to be anything in the list archives on this subject - does anyone have any good references. The types of questions surround the apporpriate type of identifier to encode. For instance is it a wise move to encode things like Student/Employee ID, Login ID, and those types of identifiers that are very difficult to change/re-issue; or should the Card be encoded with an identifier that is re-issueable if the card is lost/stolen and let a directory link that identifier with an individuals collection of identity data? Thanks, Dave Huth University of Utah====================================================== Karen E. Eft Information Technology Policy Manager UC Berkeley (510)642-4095 http://itpolicy.berkeley.edu ======================================================
Current thread:
- Identifiers on ID Cards Dave Huth (Dec 15)
- <Possible follow-ups>
- Re: Identifiers on ID Cards Karen Eft (Dec 16)
- Re: Identifiers on ID Cards David L. Wasley (Dec 16)
- Re: Identifiers on ID Cards Gary Dobbins (Dec 16)
- Re: Identifiers on ID Cards jack suess (Dec 17)