Subject: Re: Access from publisher?
Mark Kibbey (mkibbey@u.washington.edu)
Date: Wed, 1 Sep 1999 13:57:06 -0700 (PDT)
Date: Wed, 1 Sep 1999 13:57:06 -0700 (PDT) From: Mark Kibbey <mkibbey@u.washington.edu> To: Multiple recipients of list <arl-ejournal@arl.org> Subject: Re: Access from publisher? In-Reply-To: <4.2.0.58.19990901101209.00985bd0@blitzen.dartmouth.edu> Message-Id: <Pine.A41.4.10.9909011341530.88718-100000@homer35.u.washington.edu>
On Tue, 31 Aug 1999, William Garrity <william.garrity@dartmouth.edu> wrote:
>
> On Mon, 30 Aug 1999, George Porter <george@library.caltech.edu> wrote:
> >
> > On Mon, 30 Aug 1999, Anke de Looper <Anke.DeLooper@benjamins.nl> wrote:
> > >
> > > 1) Libraries seem to favor IP-controlled access over passwords. Is that
> > > so, and why? I thought passwords would allow greater flexibility in
> > > offering access to patrons even if they are off-site. Also, IP
> > > authentications is problematic (see ARL-EJOURNAL messages in
> > > February about JANET cache).
> >
> > As noted previously, although it can NOT be reiterated too often,
> > usernames and passwords are a major headache for librarians to
> > distribute in anything approximating a secure manner. In addition,
> > user behavior indicates that seemingly very minor hurdles are, in
> > practice, huge barriers to access. Users would like to discover a
> > direct link from wherever they first hear of an article to the
> > article proper. Each step which intervenes has a negative effect
> > on follow through with attrition rates of 25% or more. (Percentage
> > generated from thin air for purposes of illustration only -- use at
> > your own risk!) You do the math, whether you choose 10% attrition
> > or 50% attrition for each step, the fall off from potential audience
> > for an article to actual audience declines significantly with each
> > click. Throw in a side trip to the library's website or catalog to
> > retrieve a username and password, instead of proceeding directly from
> > a link in an email message or a URL in a printed article, and you
> > have seriously damaged the economic value of mounting the article
> > on the web in the first place.
> >
> > > 2) Do libraries (prefer to) download an issue of an electronic journal
> > > once, to offer access to patrons from a local server, or is the
> > > issue/document downloaded from the publisher's server by each
> > > patron in turn? Does this depend on what the publisher allows?
> >
> > Library preferences are much harder to pin down than user behavior.
> > Huge consortia, like OhioLINK, have the efficiencies of scale to support
> > the massive servers and additional system staff necessary to mount local
> > versions. Their pay off is in guaranteed and more responsive access.
> > Individual libraries may not have the technical skills, staffing,
> > infrastructure (pick as many as you want) to accomplish this end.
>
> Dartmouth does not favor IP-controlled access over passwords.
>
> I've been lurking in this discussion but have to jump in and opine
> that we need to do better than IP-controlled access, if for no other
> reason than that it is problematic for off-site users. (At Dartmouth,
> many members of our academic medical center community are off-site;
> various users across the whole College connect to Dartmouth via
> various ISPs.)
>
> We have implemented a solution -- Kerberos -- that in the ideal
> instances (which are many), gives single sign-on authentication
> and authorization for a variety of services (e.g., email) and
> resources (e.g., information resources from the library). Users
> are authenticated against the College's name directories and then
> authorized for access as appropriate -- one sign-on can credentialize
> the user for a variety of services and resources.
>
> See http://www.dartmouth.edu/~kerberos/; see also
> http://web.mit.edu/kerberos/www/ and
> http://www.contrib.andrew.cmu.edu/~shadow/kerberos.html. There
> is also a good article in Scientific American -- Author: Schiller,
> Jeffrey I. Title: Secure distributed computing. Augmented Title:
> noting MIT Athena project and Kerberos authentication system Source:
> Scientific American v. 271 (Nov. '94) p. 72-6
>
> Statements that usernames and passwords aren't favored versus
> IP-controlled access... well, it depends. With the right tools,
> you can make one sign-on persist for multiple purposes.
I think this discussion has drifted from how the Publisher/vendor
controls access into the fabled discussions of campus authentication
& permissions.
Kerberos by itself will only validate a users identity (and in any
complex systems you will need LDAP or some other system to provide
data on what permissions that user is eligible for). My campus is
using Kerberos, for general authentication but it's actually not
much help to the UW Libraries yet since it includes many people
(like alumni) who are not eligible for licensed library databases.
Finally, there is validating the user to the Publisher/vendor which
is a completely separate problem. You still need either a proxy
server which launders the IP or a password server (with some scheme
to hide the password). Both methods are fraught with long term
problems although the majority vote of those who have implemented
systems is to proxy. That shows up in the comments here in favor of
IP. Longer term, certificates would solve this problem- See the CNi
papers on this <http://www.cni.org/projects/authentication/> but
there are enormous short term problems as outlined in the articles.
============================================================================
Mark Kibbey Associate Director of Libraries, Library systems
University of Washington FAX: (206)-685-8727
============================================================================
This archive was generated by hypermail 2a16 : Mon Dec 20 1999 - 18:02:16 EST