Educause Security Discussion mailing list archives
Re: Enabling a job applicant to resume a submission later
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Wed, 15 Dec 2010 17:56:27 -0600
I've thought along this OpenID/Facebook Connect/etc line for some use cases in the general category you describe. Does your job application process require the applicant to provide sensitive data such as SSN? That'd be the point where I start to think I'd rather not trust the current generation of consumer federated identity providers, though the OIX[1] cabal is trying really hard to convince themselves and others that their IDPs are up to that level, or *can* be. See also NSTIC[2] and various other initiatives involving citizen access to government services. -jml [1] http://openidentityexchange.org/ [2] http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
"Flynn, Gary - flynngn" <flynngn () JMU EDU> 2010-12-15 15:59 >>>
I hesitate to suggest this on a security list but if you assume the unknown person is responsible for their own credentials on an external service and your terms and conditions state that once they start an application that it will be available to the external service using the initially provided credentials, something like OpenID might be usable assuming you're willing to integrate it with your app. Google has a pretty extensive looking page explaining what needs to be done to use gmail accounts for federated authentication using OpenID technology: http://code.google.com/apis/accounts/docs/OpenID.html At some point afterwards, though, you'd have to verify their identity before taking any actions that assume anything in the application is actually tied to the claimed identity. Wouldn't want to be calling job references for someone who didn't actually submit an application From: Clifford Collins <collinsc () FRANKLIN EDU> Reply-To: Clifford Collins <collinsc () franklin edu> Date: Wed, 15 Dec 2010 16:08:37 -0500 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Enabling a job applicant to resume a submission later
Folks, I've been approached by one of IT's analysts about a potential project our HR department is contemplating that would enhance our current, home-spun, online job application service. HR wishes to allow a job applicant to resume filling out an application over the course of multiple sessions and over many days. We are still a year or more away from implementing an IdM solution that would enable us to give them a unique login. Also, I would not assume they would use the same workstation each time. The analyst has his own idea for a solution but I am interested in first finding out what you list members might think of for a solution. Do any of you have or can you suggest an interim solution? What are the privacy and/or security considerations? Thanks for your help! Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product"
-- Gary Flynn Security Engineer James Madison University
Current thread:
- Enabling a job applicant to resume a submission later Clifford Collins (Dec 15)
- Re: Enabling a job applicant to resume a submission later Julian Y. Koh (Dec 15)
- Re: Enabling a job applicant to resume a submission later Flynn, Gary - flynngn (Dec 15)
- Re: Enabling a job applicant to resume a submission later John Ladwig (Dec 15)
- Re: Enabling a job applicant to resume a submission later Allison F Dolan (Dec 15)
- Re: Enabling a job applicant to resume a submission later John Ladwig (Dec 15)
- Re: Enabling a job applicant to resume a submission later Jeffrey Schiller (Dec 15)
- Re: Enabling a job applicant to resume a submission later Russell Fulton (Dec 20)
- <Possible follow-ups>
- Re: Enabling a job applicant to resume a submission later John Ladwig (Dec 15)
- Re: Enabling a job applicant to resume a submission later Clifford Collins (Dec 16)