Bob Baer
Tue, 24 Aug 1999 18:37:05 -0700
At 05:37 PM 8/24/99 +0200, you wrote: > LPI will be maintaining a database with information on people who took >one or more exams. It will be needed to administer the certification >status of the candidates, and also to monitor the quality of the exams. >It is our intention to take good care of privacy issues so that in >principle personal information will not be disclosed without consent. >There are however some specific details that we would like to hear your >opinion and thoughts on. > > I is our intention to make a public register where anybody can verify >the certification status of an individual. > > >(* 1 *) > Do we make it a policy that for all people who took one or more >exams, the certification status can be polled anyway ? (i.e., we won't >tell that he failed the L.II exams 5 times, but just that he has an LPIC-1 >certification since date so-and-so). > Or do we make it a policy not to disclose this information unless the >candidate made explicit that he wants to participate in this service? > If specific certification information is made available to everyone, it will cause problems. I would only tell the candidate taking the exam if they passed, or failed, and never disclose specific scores or number of attempts to anyone. If any information other than pass / fail is disclosed, some people will press to have all information disclosed, and try to find some way to use it to their advantage. > The other major issue is, what do we use as a unique personal >identifier? There are several options: > >A) full names >+ personal >- probably not unique >- variant spelling > - definitely not unique >B) social security code >+ personal and unambiguous, but: >- different format in different countries >- maybe not unique (the same number for different persons in different >countries) >- illegal to use by a non-government agency in some countries (e.g. >Canada) > - Only banks, employers, and government agencies can require an individual to provide a social security number. There is also some liability involved when an organization maintains personal information along with social security numbers. Since I have personally had someone attempt to fraudulantly use my social security number, I make a point to omit it from any applications that request it. >C) generated unique ID (number) >+ unique, unambiguous >- semi-secret (what is the ID of a certain person?) >- not personal: people may claim an ID that isn't theirs but they know >it has a high level of certification; how can an outsider check the fraud? >- easy to poll for the certification status of all candidates (by >polling all possible ID's) instead of just an individual. > > If a unique id is assigned, and an easily accessed database is available, there will not be very many people trying to claim they have a certification they do not. I'm not sure why this number would need to be secret if it were just used to identify a person for certification status purposes. > The typical use for the certification-verification service would be that >a prospective employer can check the certification status of a candidate. > > >(* 2a *) > Do we want the employer to be able to do that independent of the >candidate, i.e. he is able to guess or obtain the ID used in our database? > Or do we require active participation by the candidate, who would need >to disclose his semi-secrte ID ? > The answer to this question determines the type of ID we can use. > > > We want the prospective employer also to be able to verify that the >status actually belongs to that person, so a name should probably be used >in the procedure. > >(* 2b *) > Do we require the name as part of the input data for the >certification-verification service ? (if a valid answer is returned, the >name matched the rest of the ID); it is easy to make errors in names >however. > Or do we return the name with the certification status ? (so he can >check that the ID belonged to the candidate): this may be vulnerable to >breach of privacy. > > Please send your ideas. > >-- It would be relatively straight forward to ask employer's to input a name to search a database, and return a list of first and last names, along with certification data. It would also be useful to someone wanting a certified person in their area to be able to search by city, state, etc. ********************************************************************** Bob Baer BAERNET 805 South Il Ave. Carbondale, Il 62901 618-529-1229 ********************************************************************** ________________________________________________________________________ This message was sent by the linux-cert mailing list. To unsubscribe: echo unsubscribe | mail -s '' [EMAIL PROTECTED]