EndNote
Authentication
and Trust in a Networked World
by Clifford Lynch
At
the institutional level, authentication and authorization are familiar
problems. For decades, academic institutions have been working to design
and deploy systems that control access to key institutional resources
and that permit individuals to manage data about themselves, such as
personnel or registration information. This was an internal campus matter,
and planning was typically driven by information technology and business
administration units.
In the networked
information age, we are seeing the emergence of a web of interorganizational
trust relationships in support of commerce and information access, implemented
and expedited through new authentication and access management systems.
Today this is perhaps most visible as libraries begin to offer extensive
electronic resources that are used throughout the campus community.
Academic libraries
currently license access to a wide range of databases and electronic
publications on a commercial basis; they write contracts that purchase
access to remote network information resources on behalf of the faculty,
students, and staff of their institutions. To make these agreements
work, academic institutions and publishers must agree on mechanisms
that the publisher can use to determine whether people trying to access
the publisher�s Web site are members of the appropriate academic community.
Historically, a
user�s network address was used as a surrogate for his or her affiliation.
Authorized users had addresses on the campus network; this was easy
for the publisher to check. On campus, networked computers were assumed
to serve members of the campus community. In the days when academic
institutions also provided dial-in access for off-campus users, these
users, once authenticated by the campus modem bank, became extensions
of the campus network; to a publisher, they were in effect on-campus
users.
Today there is
a vigorous, competitive market in commercial dial-up Internet access.
Many academic institutions, unable to compete with the pricing and geographic
flexibility of the commercial offerings, have discontinued their dial-in
services. In addition, new technologies such as cable-TV Internet access,
ISDN, and DSL provide commercial broadband network access. When off-campus
users connect to these commercial services for network access, they
have commercial network addresses; publishers cannot use these addresses
to distinguish campus community members from the general public.
Several technical
approaches address this problem. One is proxies: the campus validates
users and then passes them to the publisher through a proxy machine,
guaranteeing to the publisher that only authorized users will be passed
through the proxy machine. Another alternative is to issue the user
credentials (cryptographic certificates or passwords), which the publisher
can collect and validate with a trusted host managed by the campus administration.
Yet the technical problems with both approaches are formidable. Additionally,
the choice of technical approach interacts with fundamental policy issues
surrounding networked information access.
User privacy has
been a key concern in academic libraries, both on a philosophical basis
and through legal mandates (student and patient record confidentiality,
for example). Libraries not only implement policies to maintain the
confidentiality of usage records but also design technical systems to
minimize the extent of these usage records. For example, circulation
systems track books that are currently checked out by a user, but after
a book is returned, no record is kept of the details of a user�s borrowing
history. License agreements can maintain confidentiality, but the choice
of an access management system that minimizes the flow of personal information
to publishers may also be desirable. Balancing the need for privacy
is the need for user accountability; an essential part of a license
is a commitment by the academic institution to work with the publisher
to ensure that members of the campus community understand and honor
the usage terms and conditions of the license. This means that campus
and publisher need to be able to identify and investigate sources of
anomalous and inappropriate use and to deal with problems as they occur.
Campus-wide access
to commercial networked information resources is only one example of
the emerging interorganizational relationships. Others include interuniversity
resource sharing, access to licensed course reserve materials (where
usage must be controlled based on course enrollment and where user privacy
is a particularly vexed matter), electronic commerce with vendors, and
systems to track and verify the authenticity and provenance of documents
and other digital objects, including the descriptions (metadata) that
members of an academic community may create for digital materials. In
all of these situations, one organization must trust another to identify
members of specific communities, and a technical infrastructure realizing
this trust relationship is needed. Similar issues are emerging in the
corporate and consumer spheres as well.
Thoughtful campus-wide
dialog about expectations and policies concerning the use of networked
information is becoming urgent as electronic resources are becoming
more commonplace; these discussions will require leadership from both
librarians and information technologists and must span the entire institutional
community. These discussions will also offer a natural point of departure
for exploring other interorganizational network applications. Technical
design choices for future authentication, authorization, and access
management systems must take the full range of applications�which go
far beyond the campus boundaries�and the policy context of these applications
into account and must reflect the fundamental values of free speech
and inquiry, privacy, and personal responsibility, values that are central
to the academic enterprise.
Note: more information
on some of the topics discussed here can be found in a white paper on
authentication available at the CNI Web site: http://www.cni.org.