At 05:37 PM 8/24/99 +0200, you wrote:
> LPI will be maintaining a database with information on people who took
>one or more exams. It will be needed to administer the certification
>status of the candidates, and also to monitor the quality of the exams.
>It is our intention to take good care of privacy issues so that in
>principle personal information will not be disclosed without consent.
>There are however some specific details that we would like to hear your
>opinion and thoughts on.
>
> I is our intention to make a public register where anybody can verify
>the certification status of an individual.
>
>
>(* 1 *)
> Do we make it a policy that for all people who took one or more
>exams, the certification status can be polled anyway ? (i.e., we won't
>tell that he failed the L.II exams 5 times, but just that he has an LPIC-1
>certification since date so-and-so).
> Or do we make it a policy not to disclose this information unless the
>candidate made explicit that he wants to participate in this service?
>
If specific certification information is made available to everyone, it
will cause problems. I would only tell the candidate taking the exam if
they passed, or failed, and never disclose specific scores or number of
attempts to anyone. If any information other than pass / fail is
disclosed, some people will press to have all information disclosed, and
try to find some way to use it to their advantage.
> The other major issue is, what do we use as a unique personal
>identifier? There are several options:
>
>A) full names
>+ personal
>- probably not unique
>- variant spelling
>
- definitely not unique
>B) social security code
>+ personal and unambiguous, but:
>- different format in different countries
>- maybe not unique (the same number for different persons in different
>countries)
>- illegal to use by a non-government agency in some countries (e.g.
>Canada)
>
- Only banks, employers, and government agencies can require an individual
to provide a social security number. There is also some liability involved
when an organization maintains personal information along with social
security numbers. Since I have personally had someone attempt to
fraudulantly use my social security number, I make a point to omit it from
any applications that request it.
>C) generated unique ID (number)
>+ unique, unambiguous
>- semi-secret (what is the ID of a certain person?)
>- not personal: people may claim an ID that isn't theirs but they know
>it has a high level of certification; how can an outsider check the fraud?
>- easy to poll for the certification status of all candidates (by
>polling all possible ID's) instead of just an individual.
>
>
If a unique id is assigned, and an easily accessed database is available,
there will not be very many people trying to claim they have a
certification they do not. I'm not sure why this number would need to be
secret if it were just used to identify a person for certification status
purposes.
> The typical use for the certification-verification service would be that
>a prospective employer can check the certification status of a candidate.
>
>
>(* 2a *)
> Do we want the employer to be able to do that independent of the
>candidate, i.e. he is able to guess or obtain the ID used in our database?
> Or do we require active participation by the candidate, who would need
>to disclose his semi-secrte ID ?
> The answer to this question determines the type of ID we can use.
>
>
> We want the prospective employer also to be able to verify that the
>status actually belongs to that person, so a name should probably be used
>in the procedure.
>
>(* 2b *)
> Do we require the name as part of the input data for the
>certification-verification service ? (if a valid answer is returned, the
>name matched the rest of the ID); it is easy to make errors in names
>however.
> Or do we return the name with the certification status ? (so he can
>check that the ID belonged to the candidate): this may be vulnerable to
>breach of privacy.
>
> Please send your ideas.
>
>--
It would be relatively straight forward to ask employer's to input a name
to search a database, and return a list of first and last names, along with
certification data. It would also be useful to someone wanting a certified
person in their area to be able to search by city, state, etc.
**********************************************************************
Bob Baer
BAERNET
805 South Il Ave.
Carbondale, Il 62901
618-529-1229
**********************************************************************
________________________________________________________________________
This message was sent by the linux-cert mailing list. To unsubscribe:
echo unsubscribe | mail -s '' [EMAIL PROTECTED]
