Authentication and Open Standards

1
Authenticationand Open Standards

• Brian Kelly
• UKOLN
• University of Bath
• Bath, BA2 7AY
• http//www.ukoln.ac.uk/

UKOLN is funded by the British Library Research
and Innovation Centre, the Joint Information
Systems Committee of the Higher Education Funding
Councils, as well as by project funding from the
JISCs Electronic Libraries Programme and the
European Union. UKOLN also receives support
from the University of Bath where it is based.
2
What Are Open Standards?

• Open specification (not owned) e.g. HTML (but not
  RTF - or Java?)
• Avoids patented technologies (e.g. GIF) - dangers
  of rights being sold
• Freely available implementations (open source) as
  well as commercial implementations (cf. Web
  browsers and servers)
• Cross-platform browsers and servers (distributed
  architecture)
• Extensible - future-proof, so still usable when
  something new arrives
• Distributed (inter-operable)

3
Authentication Requirements

• Users
• This is Jane Brown, of Bath University
• For restricting access to authorised users
• Servers
• This is the SOSIG gateway, of the eLib program,
  funded by JISC, which supports the BSxxx
  cataloguers guidelines
• For use by brokers
• Resources
• This document is the terms and conditions
• Code
• This Java code conforms to Bath Univ guidelines
• For authentication of bona fide teaching
  applications

4
Not Just Authorisation

• Authentication is required for more than just
  authorisation

This is me (really) OK Can I have the ISI
dataset OK, you're allowed to have that Hi, its
me again I remember you. Here are some extra
resources I think you'll like Oh, and as your
visually impaired they are in x format
Client
Authentication
Server
Client
Authorisation
Server
Client
Server
Personalisation
5
Digital Certificates

• "A digital certificate is an electronic "credit
  card" that establishes your credentials when
  doing business or other transactions on the Web.
  It is issued by a certification authority (CA).
  It contains your name, a serial number,
  expiration dates, a copy of the certificate
  holder's public key."
• "Internet business and many other transactions
  require a more stringent authentication process
  than usernames. The use of digital certificates
  issued and verified by a Certificate Authority
  (CA) as part of a Public Key Infrastructure is
  considered likely to become the standard way to
  perform authentication on the Internet." -
  whatis.com

6
Deployment Model
JISC
CVCP
BIDS
eLib, JTAP
Bath Univ.

• CVCP (say) authenticates universities. JISC (say)
  JISC services and JISC funding programmes
• Universities then authenticate people (staff and
  students), resources (documents), code (Java and
  ActiveX) and services (information gateway,
  online course)

Bath Univ.
Code
Resources /Services
People
Authentication body
Authenticated body
7
User Authentication
Remote
Local or Remote
Users / organisations / ...
User Services
Local
BIDS
User Signatures
Process to implement policy (e.g. authorisation)
Desktop / server proxy
Multiple Access Policies
Desktop brower exploits certificates
Cultural Studies Gateway Policy - freely
available Technological University / Engineering
Dept No thanks

• The process to implement policy could be an
  Apache module, a Windows NT / IIS program, etc.

8
Resource Authentication

• Available now in web browsers
• Can check
• Server
• Resource
• Mobile code
• Infrastructure for widespread deployment not yet
  in pace

9
Service Authentication

• In ecommerce
• Find online banks which provide loans which are
  members of the Banking Corporation
• Search for hotels which cost lt 100 and are
  members of the Good Banking organisation
• In HE
• Find online courses which are given by institutes
  recognised by the HEFCE and the US equivalent
• Cross-search UK and US gateways using the new
  FooBar distributed search protocol and which are
  funded by JISC or NSF and which abide by the
  TRUSTe privacy guidelines
• Note that authenticated services which provide
  service details in machine-readable format will
  be needed for deployment of intelligent agents,
  brokers, etc.

10
How Close to Implementation?

• We Want an Extranet!
• Thawte's white paper on Strong Extranets
  describes similar functionality to UK HE's
  requirements
• Students provided with email and access control
  certificate
• "Relative identity" (student no.) stored in
  certificate and processed by applications

See ltURL http//www.thawte.com/certs/strongextra
net/contents.html gt
11
The Market Players
BT Trustwise at http//www.trustwise.com/

• Many players in marketplace

Verisign at http//www.verisign.com/
12
What Next?

• Need to avoid reinventing coloured books!
• Gain Experience from Bottom Up
• Learn from departmental / organisational
  experiences
• Funding of pilots (see JTAP projects at ltURL
  http//www.jtap.ac.uk/gt)
• Top Down Approach
• EU / UK initiatives e-commerce developments
• Awareness of Alternatives
• Smart cards Pentium ID
• Proprietary solutions
• Continuation of discussions, monitoring
  developments, healthy scepticism, etc.
• Main problems are political and organisational