Authentication and Trust in a Networked World
by Clifford Lynch
At the institutional level, authentication and authorization are familiar problems. For decades, academic institutions have been working to design and deploy systems that control access to key institutional resources and that permit individuals to manage data about themselves, such as personnel or registration information. This was an internal campus matter, and planning was typically driven by information technology and business administration units.
In the networked information age, we are seeing the emergence of a web of interorganizational trust relationships in support of commerce and information access, implemented and expedited through new authentication and access management systems. Today this is perhaps most visible as libraries begin to offer extensive electronic resources that are used throughout the campus community.
Academic libraries currently license access to a wide range of databases and electronic publications on a commercial basis; they write contracts that purchase access to remote network information resources on behalf of the faculty, students, and staff of their institutions. To make these agreements work, academic institutions and publishers must agree on mechanisms that the publisher can use to determine whether people trying to access the publisherís Web site are members of the appropriate academic community.
Historically, a userís network address was used as a surrogate for his or her affiliation. Authorized users had addresses on the campus network; this was easy for the publisher to check. On campus, networked computers were assumed to serve members of the campus community. In the days when academic institutions also provided dial-in access for off-campus users, these users, once authenticated by the campus modem bank, became extensions of the campus network; to a publisher, they were in effect on-campus users.
Today there is a vigorous, competitive market in commercial dial-up Internet access. Many academic institutions, unable to compete with the pricing and geographic flexibility of the commercial offerings, have discontinued their dial-in services. In addition, new technologies such as cable-TV Internet access, ISDN, and DSL provide commercial broadband network access. When off-campus users connect to these commercial services for network access, they have commercial network addresses; publishers cannot use these addresses to distinguish campus community members from the general public.
Several technical approaches address this problem. One is proxies: the campus validates users and then passes them to the publisher through a proxy machine, guaranteeing to the publisher that only authorized users will be passed through the proxy machine. Another alternative is to issue the user credentials (cryptographic certificates or passwords), which the publisher can collect and validate with a trusted host managed by the campus administration. Yet the technical problems with both approaches are formidable. Additionally, the choice of technical approach interacts with fundamental policy issues surrounding networked information access.
User privacy has been a key concern in academic libraries, both on a philosophical basis and through legal mandates (student and patient record confidentiality, for example). Libraries not only implement policies to maintain the confidentiality of usage records but also design technical systems to minimize the extent of these usage records. For example, circulation systems track books that are currently checked out by a user, but after a book is returned, no record is kept of the details of a userís borrowing history. License agreements can maintain confidentiality, but the choice of an access management system that minimizes the flow of personal information to publishers may also be desirable. Balancing the need for privacy is the need for user accountability; an essential part of a license is a commitment by the academic institution to work with the publisher to ensure that members of the campus community understand and honor the usage terms and conditions of the license. This means that campus and publisher need to be able to identify and investigate sources of anomalous and inappropriate use and to deal with problems as they occur.
Campus-wide access to commercial networked information resources is only one example of the emerging interorganizational relationships. Others include interuniversity resource sharing, access to licensed course reserve materials (where usage must be controlled based on course enrollment and where user privacy is a particularly vexed matter), electronic commerce with vendors, and systems to track and verify the authenticity and provenance of documents and other digital objects, including the descriptions (metadata) that members of an academic community may create for digital materials. In all of these situations, one organization must trust another to identify members of specific communities, and a technical infrastructure realizing this trust relationship is needed. Similar issues are emerging in the corporate and consumer spheres as well.
Thoughtful campus-wide dialog about expectations and policies concerning the use of networked information is becoming urgent as electronic resources are becoming more commonplace; these discussions will require leadership from both librarians and information technologists and must span the entire institutional community. These discussions will also offer a natural point of departure for exploring other interorganizational network applications. Technical design choices for future authentication, authorization, and access management systems must take the full range of applicationsówhich go far beyond the campus boundariesóand the policy context of these applications into account and must reflect the fundamental values of free speech and inquiry, privacy, and personal responsibility, values that are central to the academic enterprise.
Note: more information on some of the topics discussed here can be found in a white paper on authentication available at the CNI Web site: http://www.cni.org.