Subject: Re: Access from publisher?
Chris Rusbridge (cudbm@csv.warwick.ac.uk)
Date: Mon, 6 Sep 1999 18:06:05 +0100
Date: Mon, 6 Sep 1999 18:06:05 +0100 From: Chris Rusbridge <cudbm@csv.warwick.ac.uk> To: arl-ejournal@arl.org Subject: Re: Access from publisher? Message-Id: <19990906180604.E29173@mimosa.csv.warwick.ac.uk> References: <3.0.32.19990830171136.006af1e0@pop3.NL.net> In-Reply-To: <3.0.32.19990830171136.006af1e0@pop3.NL.net>; from Anke de Looper on Mon, Aug 30, 1999 at 05:12:55PM +0200
There have been many useful replies to this original email. I'd just
like to add a further perspective to the authorisation question...
On Mon, Aug 30, 1999, Anke de Looper <anke.delooper@benjamins.nl> wrote:
>
> 1) Libraries seem to favor IP-controlled access over passwords. Is
> that so, and why? I thought passwords would allow greater flexibility
> in offering access to patrons even if they are off-site. Also, IP
> authentications is problematic (see ARL-EJOURNAL messages in February
> about JANET cache).
In the UK, academic libraries now use ATHENS (http://www.athens.ac.uk/)
to control access to most publicly provided resources. This results in
a system where one username/password (preferably unique to an individual
staff member or student) can provide access to resources from many
providers, and overcomes many of the usability and maintenance problems
of the password approach. Maintenance from the information provider's
point of view is practically zero as the site reps manage the passwords
in combination with the ATHENS service (increasingly using bulk uploads
of data to minimise work). ATHENS can I believe be used in combination
with IP-based access if the provider wishes.
We are aware that ATHENS is imperfect, and also that it suits our
particular model of information service provision much better than it
would suit that in some other countries (and notably the US). JISC
will be seeking to improve ATHENS and other aspects of our middleware
infrastructure, and will be seeking to participate in any appropriate
international initiatives in this direction. My personal goal here
is to see a situation where locally based single secure sign-ons
arrangements can be translated into access to resources such as
ejournals which are available through locally negotiated licence
agreements and contracts. What this means to me is that information
resource providers must maintain the maximum flexibility in their
authentication arrangements, allowing them to replace the
authentication regime in relation to different institutions or
consortia. In fact, it seems to make more sense here to talk about
authorisation arrangements than authentication arrangements. Ejournal
providers don't need to know who the readers are (and as Cliff Lynch
and others have pointed out in the CNI authentication white paper
[http://www.cni.org/projects/authentication/authentication-wp.html],
the providers perhaps should not know who the readers are); they need
to know whether the readers are authorised to access the resource and
under what arrangement.
What I would like to see now is some sort of API for determining
authorisation for access to services provided under mediated
arrangements such as ejournal site licence deals. Such an API
would allow different actual systems to be put in place at low cost
for different consortial arrangements.
In the meantime, stay flexible and avoid local solutions!
-- Chris RusbridgeProgramme Director, Electronic Libraries Programme The Library, University of Warwick, Coventry CV4 7AL, UK Phone 01203 524979 Fax 01203 524981 Email C.A.Rusbridge@Warwick.ac.uk
This archive was generated by hypermail 2a16 : Mon Dec 20 1999 - 18:02:16 EST