Hi, at yesterday's authentication meeting I took an action to forward the notes I was taking to this list - see below. Apologies in advance to anyone who I've misidentified, misrepresented, or left out :-)
I'd just like to take this opportunity to direct people to the DTI's encryption and digital signatures consultation paper, which you'll find a reference to in the URLs at the end of my notes. The legislation which the Government are proposing to introduce to regulate the use of cryptographic systems may have a significant impact on JISC projects which plan to use encryption or cryptographic authentication, or issue their own digital certificates. Be aware that you only have until the *1st of April* to return your comments.
Sayonara!
Martin
Wednesday 10th March 1999, Brunei Gallery, SOAS, London.
Presentations and notes available courtesy of Brian Kelly/UKOLN at: <URL:http://www.ukoln.ac.uk/services/elib/events/authentication/>
See also [1]
AFA Tony Austin ADS University of York VB Verity Brack RIDING University of Sheffield AC Andrew Colleran PRIDE Quercus Information Ltd AMC Alan Cox South Bank University HD Hussayn Dabbous Axion GMBH SSD Sean Dunne MIDAS/NESLI University of Manchester JE Jonathan Eaton HEADLINE London Business School TF Tom Franklin JTAP University of Manchester EG Elizabeth Graham eLib Programme Office University of Warwick JPK Jon Knight ROADS Loughborough University JG John Gilby London School of Economics DG Daphne Gleadhill HyLife University of Newcastle MTH Martin Hamilton ROADS/ Loughborough University JANET Web Cache Service (secretary) PH Paul Harvey PRIDE Fretwell Downing WPJ Bill Jupp CEDARS BK Brian Kelly UK Web Focus/UKOLN University of Bath DK Darryl Kirk London School of Economics SWH Stephen Harris MALIBU University of Southampton MH Mike Heyworth Council for British Archaeology AL Ann Lees MALIBU King's College London SM Simon McLeish HEADLINE London School of Economics PM Paul Morris SEREN University of Wales, Cardiff TMM Terry Morrow BIDS University of Bath JM John Murison EDINA University of Edinburgh GNI Greg Newton-Ingham AGORA University of East Anglia HMN Hilary Nunn EdBank Open University JP John Paschoud HEADLINE/DECOMATE London School of Economics GP George Pitcher HERON Napier University DJP David Price Radcliffe Science Library University of Oxford CAR Chris Rusbridge eLib Programme Office/CEI University of Warwick (chair) IPU Ian Upton BUILDER Birmingham University MW Maureen Wade HEADLINE/DECOMATE London School of Economics IW Ian Winship University of Northumbria at Newcastle NW Norman Wiseman JISC University of Nottingham RY Robin Yeates CANDLE/CANDLE-Athens South Bank University EZ Eddie Zedlewski NISS/ATHENS University of Bath
10.00 - 10.30 Arrival and coffee 10.30 - 10.40 Welcome (Chris Rusbridge) 10.40 - 11.00 Overview of hybrid library requirements (Jonathan Eaton) 11.00 - 11.10 Clumps requirements (Verity Brack) 11.10 - 11.55 ATHENS briefing (Eddie Zedlewski)
MTH's notes on EZ's talk which there was no time to bring up...
If the move is towards sites doing bulk uploading of their ATHENS data (implication of EZ's talk), why do we need ATHENS ? Sites could just bulk upload (e.g. in Apache compatible user name and encrypted password format?) user names and encrypted passwords to service providers. Any provider who isn't capable of periodically refreshing their ACLs with the new data probably shouldn't be a service provider in the first place!
Very concerned about cleartext user name and password disclosure to data service providers, given the implication that these may be used for both local and remote resources, and resources which have a per-use type cost associated with them. With the very limited information which has been made publicly available about ATHENS it appears that this is the model it has adopted - authentication of the WWW browser is done against the service provider's WWW server, which in turn contacts ATHENS with the user name and password supplied.
11.55 - 12.30 Discussion
JM - User profiles exist in ATHENS already ?
EZ - They exist and the mechanism is quite flexible.
PH - Access to it through C API ? What does the profile consist of ?
EZ - Yep, think of it as a Windows .ini (i.e. attribute/value pairs) file.
PH - These problems have received a lot of attention from distributed directory people ? Could distribute this using locally run directory services (e.g. LDAP) as being investigated by PRIDE ?
SWH - Can we store our user profile (large XML object) in ATHENS profile
field ? How much bandwidth is available for updates ?
EZ - Not sure how much room is available, would have to check.
IPU - What use is the ATHENS user profile ? e.g. should projects use the
ATHENS DB for their own user profiles, or is it for general use
by ATHENS service providers ?
EZ - Need to attach info to a resource/user combination, rather than say
just a user.
MTH - What about LDAP support in ATHENS ? EZ's Educom slides from October
1998 peg it as a 'future' - is it still a future ? What about
other commonly used protocols ? e.g. Radius authentication server.
EZ - LDAP still a future. Future directions for ATHENS still being determined at the JISC level.
MTH - Any intention to document the protocol used for authentication
between the service provider and ATHENS ? It's not very useful
to bandy around phrases like 'multiple levels of encryption'
without defining what you mean (e.g. algorithms, key sizes, ...)
EZ - All commercial in confidence at the moment. Would be interested
in opening ATHENS up at least to a degree, but hampered by (for
instance) Intellectual Property issues.
MTH - Although the slides state that ATHENS development wants to follow
standards being set in terms of (for instance) protocols, there is the possibility of
ATHENS being the world leader and de facto standard for proxy authentication
if it were to document its currently proprietary system.
EZ - Possibly... !
MTH - Could we clarify the statement on the ATHENS WWW site about the
"system" being "free" to JISC funded services ?
EZ - Access to the ATHENS database and the ISOS Agent software is
free for JISC services (unless commercial exploitation is
involved), though support would have to be negotiated.
JP - Users have multiple identities in practice, but ATHENS not geared
up to this. Assumption is users are accessing a single resource
and user has to login to each service. This is a big problem
when trying to cross-search multiple services.
PH - Same problem when doing authentication component of AHDS,
had to run through hoops to avoid multiple login boxes.
EZ - Have new ATHENS components coming out to do this type of thing.
GNI - Is there a convincing business case for ATHENS as an alternative
to other systems ? Need to justify it to commercial suppliers.
EZ - If anything, the pressure is coming from suppliers, due to user pressure from ATHENS sites.
DG - What are the costs and technical knowledge required for using ATHENS
in our service?
EZ - Highly variable, e.g. it's trivial to use ATHENS to protect an area
on a WWW server using the publicly available ATHENS Agent, but
bespoke development might be needed for a complex application.
CAR - What restrictions are there on information provided back to the
service provider ?
EZ - We took the minimalist approach to begin with, e.g. don't even pass
back the user's email address.
? - What platforms are supported by the ATHENS Agent ?
EZ - IBM AIX, Sun Solaris [presumably only for SPARC?] and Windows NT,
with a Perl Agent [Solaris XS wrapper round ATHENS library ? or
native Perl code ?] to be released.
MTH - Linux version ?
EZ - If there's sufficient interest :-)
BK - Any thought of using ATHENS for authentication of resources rather
than people, viz. operating a Certification Authority.
EZ - Not really.
12.40 - 13.30 Lunch
13.30 - 14.00 Authentication and Digibib NRW (Hussayn Dabbous)
BK - Thought about interoperability with other digital library systems ?
e.g. being used by academics on sabatticals, overseas students (Distance Learning)
HD - Very important, particularly using LDAP as lowest common denominator.
Our system is modular and object-oriented, so easy to plug new technologies in.
MTH - This is commercial software which is being funded by the taxpayer in Germany ?
HD - Funded by the Nordrhein-Westfalen taxpayer, but a commercial
product. The state can distribute it to the local Universities
as part of the deal. Available for purchase since last Friday :-)
14.00 - 14.30 PRIDE (Andrew Colleran)
IW - What is the deliverable from the project ? e.g. is it a product ?!
AC - Not a product per se, though various systems will be put into place.
IW - Could you elaborate on what is going to be done, with whom ?
AC - Various activities with different groups.
MTH - Given that the taxpayer contributes a significant amount towards
the cost of these types of projects, is there any intention to
release the source code of the software produced - e.g. as public domain software ?
AC - No, and since industry is contributing towards the project it would
not be willing to condone this.
MTH - So, what's the point in the taxpayer funding this work ?
PH - Helps further University research, gives industry the opportunity
to investigate areas which it wouldn't necessarily otherwise be able to do.
[ so, that's things which don't make commercial sense ?! ]
14.30 - 15.00 BUILDER (Ian Upton)
MTH - It turns out that Mac clients do exist for Netware, though they're pretty clunky to use. Also just to mention that it's possible to dump your NDS out using a Caldera OpenLinux box - we actually use one of these to manage our NDS tree!
? - How do you authenticate ?
IPU - With TALIS user ID from their library card.
? - What about walk-in users ?
IPU - We have machines in the library...
AL - Was TALIS particularly easy to crack or should it be possible with
other library systems ?
IPU - Impression is that TALIS makes it easier than some other systems to
do this type of thing
PH - Demonstrates why you need to take a larger view of the problem, e.g. rights of
external users (cf. PRIDE) who may not be registered in local databases.
? - Can you use BUILDER if your library ticket is blocked ?
IPU - Dunno!
MTH - Were you planning to make the code developed as part of the
project available, e.g. as public domain software ?
IPU - Not really, it's all bits of string and sticky tape :-)
IW - How does TALIS authentication fit into TALIS et al ?
IPU - Could encode user names and passwords for other systems e.g.
ATHENS into the user profile for BUILDER.
? - How to pass this info (BUILDER string) around securely ?
IPU - [MTH paraphrase] Doesn't leave the server - all handled
internally within IIS.
GP - How to know when session finished ?
IPU - Have an automatic timeout and also manual logout.
CAR - So, does this mean the NDS/LDAP thing is going to happen in the
long term, and would that mean that a member of the University
could simply login to the NDS and automatically have access to
lots of protected services ?
IPU - It's a possibility, could also put this info into TALIS.
PH - What's the protection of the BUILDER string ? Encryption?
IPU - Have to put a lot of thought into this before implementing it,
to avoid causing security problems.
CAR - What technologies are available for authentication other than NDS ?
Various people mentioned NIS/YP, NIS+, LDAP (poss. as NDS front end), and SSL with appropriate certification ]
15.00 - 15.30 Discussions at CNI (Norman Wiseman)
15.30 - 16.00 General discussion and close
PH - Would be useful to have at least a recommendation of a route for
people to go down ? to prevent them from all going their own separate ways...
CAR - Can't dictate to people what technologies they use - doesn't work!
Remember Coloured Books :-)
PH - Doesn't necessarily mean forcing people down particular paths,
just recommendations.
NW - Several institutions reviewing the BS7799 security standard as a JTAP project.
TF - Better yet to persuade suppliers to use the same systems
BK - Proper Public Key Infrastructure should overcome much of the
problems, especially if there was a working CA for UK HE.
CAR - Lots of problems with certificates, e.g. mobile users with no filestore of their own.
WJP - Leeds going for digital signature trial over the summer.
JP - Is the JISC participating in the Government's crypto consultation exercise ?
NW - Not that I'm aware of, though UCISA has made representations in the
previous iterations of this.
MTH - (Brandishing copy of consultation paper :-) NB you have until 1st
April to make your comments, though this appears to be in breach
of parliamentary procedure. This will have a major impact on
any services using cryptographic authentication and/or
encryption, particularly if you plan to set up shop as a
Certification Authority. Download your copy from [2]
JPK - Note the distinction between signing and encryption keys made in
the consultation document.
CAR - Suggests discussions proceed on lis-elib-tech. BK is mounting the slides on the UKOLN WWW site and mail lis-elib-tech with the URL. MTH will contribute his notes.
CAR - Any interest in other concertation days ? e.g. on digital identifiers: SICCI, URNs, ... (there was)
MTH - Interest in whether people from projects represented in the room
want to release source code as e.g. public domain or open source
in the GNU sense. This could give projects the opportunity to
leave a lasting result beyond the odd published paper and
conference session. Since many of these projects cost very large
sums of taxpayer's money, it would seem like a responsible action,
plus without the results from old projects new projects are doomed
to repeat the work done on them.
PH - Companies may well want to keep away from projects where they lose
their IPR. Show me a successful 'open source' company!
MTH - RedHat, Caldera, Cygnus, ... :-) In any case, many projects funded
by the likes of eLib and JISC don't have commercial partners.
[ And the potential for commercial exploitation may be minimal! ]
? - What happens when the project finishes ?
MTH - It's been suggested that we have an 'opensource.ac.uk' archive site
or something similar, for archival of the results of projects
whose servers are going away (for instance). [ It might be a
written conditional for future JISC funding that projects are
required to deposit copies of their source code under an
appropriate copyright with this service ]
SM - OSS for libraries WWW site might be an appropriate place ? [3]
DJP - IP address checking for ATHENS ?
NW - Many suppliers insist on IP address based authentication (or
otherwise!). ATHENS access accounts control the rights inherited
by the walk-in user.
DJP - Observation is that users don't want to bother with passwords at all,
if they normally do all their work from a single IP address.
IW - There was a feeling that ATHENS was introduced without proper
consultation and in too much of a hurry, though all is well now.
MTH - We have to figure out (collectively) whether we consider ATHENS to be
part of the problem, or a potential solution. ATHENS could
establish itself as the Internet standard for proxy authentication,
if someone is willing to take the lead and push this forward.
JE - A proper certification system would make authentication much, much simpler.
CAR - Part of the problem is that the important data (user registration)
is normally held by different groups to the ones trying to solve
the authentication problem. As found when ac.uk tried to bootstrap
X.500 directory services :-)
RY - Trying to implement (in CANDLE-Athens) single logins to lots of
resources. Not found it possible to achieve a solution which can
be replicated on a large scale.
GNI - The point is really all about removing as many different systems of
authentication as possible.
JP - Did a quick and dirty approach to this using NT domains with a login
front end on the individual workstation.
MTH - We did a bit of code to produce a single login (without changing the
actual login programs) using an OpenLinux system to set both NDS
and Unix passwords. Should be able to make the source code
available if people are interested.
CAR - list of points noted during the day's session:
1) Cookies
JE - Explains general principles behind cookies.
IPU - Note that cookies can have a configurable lifetime, e.g. persistent vs. non-persistent (session only)
JE - Note that cookies may be intercepted, e.g. copied off user's hard
disk on shared machine.
IPU - Also note that session timeouts can be imposed separately, as well
as in the cookie delivery.
2) Data Protection
Various people commented - discussion of the new Data Protection Act (1998) and its implications. Email addresses and telephone numbers count as personal information, and (European Law requirement, apparently) may not be sent to certain countries(!) Upshot of new law is that you're required to make it clear what the data is being used for.
Get your copy of the Act at [4] :-)
3) Non-HE and walk-in users
CAR - Is there a system for registering non-HE users of ATHENS ? EZ - Yes, sites can set up their own ATHENS subdomains, or for very small groups of users NISS can manage them centrally.
4) Z39.50
CAR - Is authentication in Z39.50 a big issue ?
DJP - It's important that authentication systems such as ATHENS should be
able to cope with non-Web protocols.
? - What about SSL type security ?
MTH - Should be trivial to run Z39.50 over SSL, though when it was
discussed by Z3950IW there was no interest.
Post-meeting MTH checked the Z39.50 Agency WWW pages [5] and discovered that in addition to cleartext 'authentication' (standard), OIDs have been registered for DES and Kerberos encrypted authentication. No evidence of any implementations of either of these, though! Anyone know better ?
[1] Robin Yeates et al have some very useful authentication links on the CANDLE-Athens pages: <URL:http://agent.sbu.ac.uk/candleathens/>
[2] The Government's encryption and digital signatures consultation paper "Building Confidence in Electronic Commerce" is available as HTML at: <URL:http://www.dti.gov.uk/cii/elec/elec_com.html>
Note the 1st April deadline for comments - and read the paper *very* carefully.
[3] The 'Open Source Software for Libraries' WWW site is at: <URL:http://www.med.yale.edu/library/oss4lib/>
[4] The Data Protection Registrar's WWW pages and downloadable 1998 Data Protection Act: <URL:http://www.open.gov.uk/dpr/>
[5] Z39.50 Maintenance Agency WWW pages: <URL:http://lcweb.loc.gov/z3950/agency/>