The InCommon Silver assurance profile has a section that allows for remote proofing of identity subjects. Many people I’ve asked about this are saving this section for “later” and aren’t going to try to do remote proofing to begin with. Someone said something to me the other day about the availability of notaries that makes me think this is possible to do in a not too terribly difficult way. Here’s the relevant section of the assurance profile:
4.2.2.4.3 Remote proofing
1. The RA shall establish the Subject’s IdMS registration identity based on
possession of at least one valid government ID number (e.g., a driver’s license or
passport) and either a second government ID number or financial account
number (e.g., checking account, savings account, loan or credit card) with
confirmation via records of either number.
2. The RA verifies other information provided by the Subject using both of the ID
numbers above through record checks either with the applicable agency or
institution or through credit bureaus or similar databases, and confirms that:
name, date of birth, and other personal information in records are on balance
consistent with the application and sufficient to identify a unique individual. If
this appears to be the case, the RA authorizes issuance of Credentials.
3. If the record checks do not confirm the Address of Record, it must be confirmed
as described in §4.2.2.5 below.
Note that it says if you can’t confirm the information provided via record checks, you have to register the subject via the address of record. Everyone seems to be focusing on the technical problem of verifying the source document numbers via Equifax or other credit bureaus, and/or state motor vehicle registries. I think people are so shocked by this requirement that they’re misdirected away from the critical pieces here:
1) You only need to register the facts of the documents presented – you can do that via notaries public that are available free of charge for customers at all banks in the US.
2) You can confirm the identity of the individual by delivery of a registration secret to an address of record. What is an address of record?
Conveniently, section 4.2.2.5 (2)(b) says:
For an electronic Address of Record, the RA confirms the ability of the Subject to receive telephone communications at a telephone number or e-mail at an e-mail address.
So you can just e-mail them a short-lived registration bearer token after you receive their notarized paper form containing their identity documentation back. Can it really be that simple? An idea for some legalese to include on the form (I am not a lawyer) might be:
I hereby declare that the e-mail address supplied on this form by me is a valid email address that is acceptable for use in official communications with me. I am the only person who has access to this email address.
Update: 5/30/2012: Thanks to Mark B. Jones for this interesting international tidbit on consular services and the notary function: http://travel.state.gov/law/judicial/judicial_2086.html
I am one of those individuals who has removed remote proofing from the scope of our assurance discussion, for now. We have discussed the possibility of using notaries and it remains a viable solution. That said what I have heard in my discussions is that the “trust” of notary practices varies from state to state. Since trust is what this is all about for us it does make me question if I would trust the assertion of a notary from other states. If that is the case, and this needs a lot more investigation before drawing any conclusions, this might not be the right solution.
As soon as we solve this within the US, we will need to solve for international students and faculty. How do we find a solution which will work across boundaries?
Thanks for sharing…
Excellent point Renee, thanks for your comment. It would be an interesting practice to get a feel for the differences in notary trust and how it’s implemented in state laws in the US. I have to think that there is a similar need and thus a similar function in many countries around the world, but you’re right, it’s probably not close to the same in terms of practice in many places.
There may not be perceived trust but is there legal recourse if notaries fail to “do the right thing”?
A good point Mark, that seems like it should be the deciding factor in acceptability of a state’s implementation of the notary function in law, for the purposes of this type of remote proofing.