Authenticated Networked Guided Environment for Learning

Access Management Glossary and References

Sets of information associated with a user, such as name, addresses,  phone number, role within institution, registered courses etc.  This information can then be used to define the rights a user has to access information (i.e. a staff member of the geography department, a postgraduate etc.)

Authentication is the process of determining the identity of an individual. It is achieved through the presentation of some kind of token which is considered proof that the individual concerned is whoever they assert they are.

A CA is responsible for ensuring that each certificate it issues complies with the appropriate standards (such as X.509) and contains the requisite information about the entity (server or individual) to which it refers.  This information will often be supplied and verified by a separate Registration Authority or RA, although a CA may in some cases carry out its own RA function. Widely used CAs include:

Globalsign.  <http://www.globalsign.net/>
Verisign. <http://www.verisign.com/products/index.html>
Thawte.< http://www.thawte.com/>.

Digital Certificates An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.  Certificates are assigned by trusted certificate authorities. 

Directories Directories hold the  key information needed for authentication and authorisation to work, and can be managed using a central (run by the access management provider) or distributed (run by individual institutions) system.  A directory is formed of a schema or data model (which defines the relationship of fields), a namespace (which defines the names of the fields), and attributes (the contents of the fields).

Eduperson Name given to the EDUCAUSE / Internet 2 LDAP object class used to identify person attributes / roles used widely within higher education. This standard namespace will allow a range of directory-based applications to share personal information between institutions, data providers and platforms.

Encryption The process of protecting information as it moves from one computer to another. Passing through a complex mathematical process (an encryption algorithm), the information is encoded before it is sent and decoded with a secret key when it is received. 

Federated Administration The administration of user identities and attributes is managed by the user's origin  site.  The resource provider trusts the attribute information passed by the origin site, and makes an access control decision based on these attributes.  

Federated Network Identity A term used by the Liberty Alliance Project to refer to the association, connection or binding of multiple sets of identity information for individual users through the development of affiliated groups of organisations, governed by a legal agreement. 

Identifier In terms of access management, a unique virtual identity assigned to a specific user.  This may be the user's network ID, or e-mail address, or some other unique ID separate from real user identity information such as name and address. 

Information Environment The name adopted by the JISC to describe the set of networked services that allows people to discover, access, use and publish resources collected by the JISC and JISC projects. The technical architecture suggests a three layer structure of provision layer, fusion layer and presentation layer. 

Internet2 A US initiative involving over 190 universities working partnership with industry and government to develop and deploy advanced networked applications and technologies. The Internet2 Middleware Architecture Committee for Education (MACE) is developing the Shibboleth architecture. 

IMS Enterprise A specification designed to define a standardised set of structures that can be used to exchange data between different systems. This will allow software developers and implementers to create Instructional Management processes that interoperate across systems. IMS Enterprise is looking at interoperability between Learning Management Systems and Human Resource Systems, Student Administration Systems, Training Administration Systems and Library Management Systems. 

Middleware A layer of software that sits between two applications and provides services such as authentication and authorisation, and services for combining metadata through cross-referencing, harvesting, and alerting.  This enables applications that would not normally be able to communicate to do so without having to extend either application.

Namespace A set of names in which all names are uniquely identified. This allows an object to be described without ambiguity. OAI An initiative to develop and promote interoperability standards that aim to facilitate the efficient dissemination of content.  Most widely known for the OAI-PMH (Protocol for Metadata Harvesting). 

Registration Authority A Registration Authority registers users who request a certificate, and makes sure that the information required to create a certificate is correct and up-to-date.  Once they have collected and verified the data that is required, the RA passes the certificate request onto a Certificate Authority.   

Portal Problem Name given to the persistent problem of providing seamless discovery services across a range of disparate content providers.

PKI Public Key Infrastructure refers to the complete system of digital certificate exchange and use of authorities that verify and authenticate the validity of each party involved in an Internet transaction. 

Rights Group The groups which a user belongs to, as defined by his attributes (postgraduate student, taking course EC101 etc.)  Access rights can be assigned at the group level, allowing access to members of certain groups and denying access to others.  

SAML Security Assertion Mark-up Language is an XML-based security standard for exchanging authentication and authorisation information.  SAML message exchanges are mapped to SOAP exchanges.  

SSO Single sign-on is a process that allows a user to enter authentication details once in order to access multiple applications or resources.   A list of access rights for individual users are stored on the server.  When an authentication request is received, the user is authorised to access all the applications listed.  

Web Services Simply describes services offered by a supplier via the web for web users, or other web-connected programs. Often used to refer to services that can allow users access through a peer-to-peer arrangement, or services that can communicate with other services through the use of middleware.    

X.500 A standard that defines how global directories should be structured.  

X.509 The most widely used standard for defining digital certificates.

Access Management Glossary and References

Chown, Tim, et al. Working Paper On: Secure Internet Issues for the He Community. Available: <http://www.jtap.ac.uk/reports/htm/jtap-032.html>. 24 September 2002.

Claessens, Joris, Bart Preneel, and Joos Vandewalle. "A Tangled World Wide Web of Security Issues." First Monday 7.3 (2002). <http://www.firstmonday.org/issues/issue7_3/claessens/index.html>.

Cormack, Andrew. Web Security. 1997. Available: <http://www.jisc.ac.uk/acn/authent/cormack.html>. 02 September 2002.

Educause. Pki & Security for Higher Education. 1999. Available: <http://www.educause.edu/netatedu/contents/events/aug99/proceedings.htm>. 24 Spetember 2002.

Findlay, Andrew. Regaining Single Sign-On. 23 April 1999. Available: <http://www.brunel.ac.uk/depts/cc/papers/regaining-sso.html>. 24 September 2002.<

Fu, Kevin, et al. Dos and Don't of Client Authentication on the Web. 7 September 2001. Available: <http://pdos.lcs.mit.edu/cookies/pubs/webauth.html>. 24 September 2002.

Glenn, Ariel, and David Millman. "Access Management of Web-Based Services: An Incremental Approach to Cross-Organizational Authentication and Authorization." D-Lib (1998). <http://mirrored.ukoln.ac.uk/lis-journals/dlib/dlib/dlib/september98/millman/09millman.html>.

Goerwitz, Richard. "Pass-through Proxying as a Solution to the Off-Site Web-Access Problem." D-Lib (1998). <http://mirrored.ukoln.ac.uk/lis-journals/dlib/dlib/dlib/june98/stg/06goerwitz.html>.

Hindelang, Steffan. "No Remedy for Disappointed Trust; the Liability Regime for Certification Authorities Towards Third Parties Outwith the EC Directive in England and Germany Compared." The Journal of Information, Law and Technology (JILT).1 (2002).http://elj.warwick.ac.uk/jilt/02-1/hindelang.html>.

Hunt, Steve. Remote User Authentication in Libraries. 2001. Available: <http://library.smc.edu/rpa.htm>. 24 September 2002.

ITL. Itl Bulletins Online. 2002. Available: <http://www.itl.nist.gov/lab/bulletns/cslbull1.htm>. 24 September 2002.

Leach, John. Findings from the First Stage of the Study into the Requirements for Authentication, Authorisation and Privacy in Higher Education. 1998. Available: <http://www.jisc.ac.uk/jtap/htm/jtap-015-1.html>. 04 September 2002.

Luker, Mark A. "A "Bridge" for Trusted Electronic Communications in Higher Education and the Federal Government." Educause Review 37.1. <http://www.educause.edu/ir/library/pdf/erm0203.pdf>.

Lynch, Clifford. Ed. A White Paper on Authentication and Access Management Issues in Cross-Organizational Use of Networked Information Resources. April 1998. Available: <http://www.cni.org/projects/authentication/authentication-wp.html>.

MacColl, John.  Report from the UCISA-JISC-SCONUL Access Management and Authentication Forum.  27 May 2002.  Available: <http://www.angel.ac.uk/dissemination/dissemination.html>.  22 October 2002. 

Machovec, George. Access Authentication & Security. 7 October 1998. Available: <http://library.usask.ca/access98/ppoint/machovec/html/>. 24 September 2002.

Paschoud, John. "Project Angel: Guidance and Guardianship for Networked Uk Learners." D-Lib 7.7/8 (2001). <http://www.dlib.org/dlib/july01/07inbrief.html>.

---. "Making the Pie . . .Gel." Cultivate Interactive 4 (2001).

<http://www.cultivate-int.org/issue4/pie/>.

Pinfield, Stephen. "Realizing the Hybrid Library." D-Lib (1998). <http://mirrored.ukoln.ac.uk/lis-journals/dlib/dlib/dlib/october98/10pinfield.html>.

Robiette, Alan. The Future of Authentication for Jisc Services: A Consultation Paper. Available: <http://www.jisc.ac.uk/pub02/ar1/future_auth.html>. 24 September 2002.

---. Sparta: The Second-Generation Access Management System for Uk Further and Higher Education. 2002. Available: <http://www.jisc.ac.uk/pub00/sparta_disc.html>. 24 September 2002.

Saeednia, Shahrokh. "How to Maintain Both Privacy and Authentication in Digitial Libraries." International Journal on Digital Libraries 2.4 (2000): 251-58.

Spyrelli, Christina. "Electronic Signatures: A Transatlantic Bridge? An Eu and Us Legal Approach Towards Electronic Authentication." Journal of Information, Law and Technology 2 (2002). <http://elj.warwick.ac.uk/jilt/02-2/spyrelli.html>.

Yeo Arms, William. "Implementing Policies for Access Management." D-Lib (1998). <http://mirrored.ukoln.ac.uk/lis-journals/dlib/dlib/dlib/february98/arms/02arms.html>.

Young, A., P.T. Kirstein, and A Ibbetson. Technologies to Support Authentication in Higher Education. 21 August 1996. Available: <http://www.ukoln.ac.uk/services/elib/papers/other/scoping/>. 24 September 2002.

Young, Andrew. Implementation of Janet Authentication and Encryption Services. 1997. Available: <http://www.jisc.ac.uk/acn/authent/young.html>. 24 September 2002.