ANGEL: Authenticated Networked Guided Environment for Learning

Access Management Conference: Question Session

This is a summary of questions asked at the JISC / UCISA / UKERNA Access Management Event on 6th November 2002. It may be a useful tool for further discussion concerning Access Management in the UK.

1. What is the solution to the problem of getting international providers to sign up to a national (UK) scheme?

The national / international problem is ongoing; UK HE / FE customers form a very small part of the customer make-up of international content providers and therefore have very little influence over decisions. This may suggest that an international access management scheme might be more appropriate but the scale of such a system would inevitably restrict the requirements of UK institutions further.

2. Does the WS-Security protocol use SOAP version 1 or 2?

The WS-Security protocol <http://www.oasis-open.org/committees/wss/documents/WSS-Core-01-0920.pdf> claims to work with the general SOAP message structure and message processing model and should be applicable to any version of SOAP.

3. How does Shibboleth work?

Shibboleth is an initiative to develop an open, standards-based solution to the needs for organisations to exchange information about their users in a secure, and privacy-preserving manner. The purpose of the exchange is typically to determine if a person using a web browser has the permissions to access a resource at a target resource based on information such as being a member of an institution or a particular class.

When a user at an institution tries to use a resource at another location, Shibboleth sends attributes about the user to the remote destination (provider), rather than making the user log in to that destination. The destination can use the attributes to decide whether or not to grant access to the user. Shibboleth may let each user choose what personal information can be released to each destination. In particular, a user may choose whether or not their e-mail is sent to the remote site as an attribute, when other information, such as the user's affiliation to the institution, is more important.

For more information, please see the Internet2 website.

4. How are 06/02 projects addressing the need to register and set up an institutional PKI, what media are being employed to carry certificates, and what happens when users lose this medium?

The 06/02 projects only started on 1st November 2002, so the straightforward answer is to say that these issues are undecided. John Paschoud discussed the potential of using USB storage devices, and smartcards but these are only areas of investigation at present. More details concerning the 06/02 projects can be found in Alan Robiette's presentation.

5. Is EZProxy an easier solution for institutions?

Using proxy solutions can seem to be a good way forward for institutions, but the process is more of a 'work-around' than a solution. It does, in fact, work against the basic principle of how the Internet should work, and also throws up other issues such as breaking license agreements with providers.

6. How do we get more suppliers to use Athens?

All parties would like more suppliers to become involved in Athens but, as previously mentioned, the influence that the small UK customer base has is minimal. JISC will continue to work to involve more suppliers.

7. How does Athens manage the problem of different users with different 'hats'?

Athens is not currently able to link the different access rights that a user may have associated with different roles (as a member of staff, and a member of a professional group for example). It is on the developments wish-list.

8. Is Athens Devolved Authentication available now?

Lyn Norris confirmed that Athens Devolved Authentication is available, although many institutions were struggling with necessary infrastructure.

9. Do the 06/02 projects involve commercial partners?

Many of the 06/02 projects involve commercial suppliers, including Athens and various content providers.

10. Can digital certificates potentially improve usability?

Digital certificates have the potential to provide a variety of services to users beyond resource access. The levels of difficulty and current development status makes it difficult to integrate at the current time.

11. What is the future of X.509 certificates for providing secure e-mail solutions within the UK?

A lot of the difficulties in this area lie in the potential problems of accepting a digital signature as something that cannot be repudiated. An analogy was made with signing cheques with stamps or machines, rather than insisting upon an original handwritten signature. There is still a lot of work to be done to change attitudes and culture in this direction.

12. Can digital certificates be used for InterLibrary Loans / copyright licensing?

ILL is a potential model for use of digital certificates.

Current law in the UK allows electronic signatures to be used as a replacement for a handwritten signature as long as the parties involved have a contractual agreement for this practise. These laws are much tougher in other countries. There are specific issues about where the private keys used for digital signatures are stored, and how secure this storage is.

13. How can Access Management solutions address the Portal Problem?

There is a general technical problem with users visiting a remote portal, and then trying to access a remote resource. Such services need an intermediary that tends to use short life proxies to allow users access. Cascading authority through a chain is a very complex process. To achieve a solution, a well-established trust model is required. The portal problem is being specifically addressed by the Grid community.

14. What happens to Athens when the contract expires?

The procurement process for the next access management system is necessarily complex. There will be a well considered migration period and this was explicitly included in the procurement wording.

15. Would any of the speakers like to back one particular Access Management horse?

John Paschoud would back Shibboleth, or a solution that utilises Shibboleth.

Alan Robiette expressed an interest not so much in Shibboleth but in SAML, which is used by Shibboleth and other developments such as the Liberty Alliance. Alan perceives large scale architectures with reusable components that plug together and talk to each other.

16. Can we dismiss Microsoft offerings as a solution for HE Access Management?

The main problem with the solutions currently offered by Microsoft are that they do not included the INSTITUTION role. This role is very specific to the education community, but it is unlikely that institutions would want to change infrastructure to suit e-commerce solutions.

Passport is a third party solution, and one of the main problems with such a solution is that it is unacceptable for institutions to keep all access details in a single, remote location. A failure of this service could be crippling.

17. How do new solutions improve privacy for the user?

Shibboleth creates a once only string for a specific transaction that will never be reused. These opaque session identifiers are essential. The Shibboleth structure is also important as the campus is the information holder--providers have to approach the campus for information relating to users.

18. Why should we use a national solution, and not the solutions offered by Library Management Systems?

Solutions offered by LMS simply do not do the whole job. Institutions need a much wider and deeper solution.

19. Are we allowed to know who is bidding for the new UK HE Access Management service contract?

No - the process must legally be kept private.

20. What is the role of project ANGEL?

ANGEL has been dealing with institutional access management solutions throughout the life of the project, and has also been involved in assessing both PAPI and Shibboleth developments. Although the project ends in 4 months, the team continues to have an active interest in the arena and were keen to involve more of the community (hence the event).

21. How much funding has been provided for the 06/02 programme?

The figure is believed to be around £650K.

22. What are the trust issues involved in devolved systems?

Trust issues in devolved systems are very similar to those that are in place now as Athens has already devolved these issues to institutions. Different providers obviously have different attitudes towards levels of trust, but it is in their interest for their resources to be used so most are open-minded towards small potential amounts of abuse.

	Authenticated Networked Guided Environment for Learning
homepage \| documents \| what's new \| technology watch \| dissemination \| contacts
Access Management Conference: Question Session This is a summary of questions asked at the JISC / UCISA / UKERNA Access Management Event on 6th November 2002. It may be a useful tool for further discussion concerning Access Management in the UK. 1. What is the solution to the problem of getting international providers to sign up to a national (UK) scheme? The national / international problem is ongoing; UK HE / FE customers form a very small part of the customer make-up of international content providers and therefore have very little influence over decisions. This may suggest that an international access management scheme might be more appropriate but the scale of such a system would inevitably restrict the requirements of UK institutions further. 2. Does the WS-Security protocol use SOAP version 1 or 2? The WS-Security protocol <http://www.oasis-open.org/committees/wss/documents/WSS-Core-01-0920.pdf> claims to work with the general SOAP message structure and message processing model and should be applicable to any version of SOAP. 3. How does Shibboleth work? Shibboleth is an initiative to develop an open, standards-based solution to the needs for organisations to exchange information about their users in a secure, and privacy-preserving manner. The purpose of the exchange is typically to determine if a person using a web browser has the permissions to access a resource at a target resource based on information such as being a member of an institution or a particular class. When a user at an institution tries to use a resource at another location, Shibboleth sends attributes about the user to the remote destination (provider), rather than making the user log in to that destination. The destination can use the attributes to decide whether or not to grant access to the user. Shibboleth may let each user choose what personal information can be released to each destination. In particular, a user may choose whether or not their e-mail is sent to the remote site as an attribute, when other information, such as the user's affiliation to the institution, is more important. For more information, please see the Internet2 website. 4. How are 06/02 projects addressing the need to register and set up an institutional PKI, what media are being employed to carry certificates, and what happens when users lose this medium? The 06/02 projects only started on 1st November 2002, so the straightforward answer is to say that these issues are undecided. John Paschoud discussed the potential of using USB storage devices, and smartcards but these are only areas of investigation at present. More details concerning the 06/02 projects can be found in Alan Robiette's presentation. 5. Is EZProxy an easier solution for institutions? Using proxy solutions can seem to be a good way forward for institutions, but the process is more of a 'work-around' than a solution. It does, in fact, work against the basic principle of how the Internet should work, and also throws up other issues such as breaking license agreements with providers. 6. How do we get more suppliers to use Athens? All parties would like more suppliers to become involved in Athens but, as previously mentioned, the influence that the small UK customer base has is minimal. JISC will continue to work to involve more suppliers. 7. How does Athens manage the problem of different users with different 'hats'? Athens is not currently able to link the different access rights that a user may have associated with different roles (as a member of staff, and a member of a professional group for example). It is on the developments wish-list. 8. Is Athens Devolved Authentication available now? Lyn Norris confirmed that Athens Devolved Authentication is available, although many institutions were struggling with necessary infrastructure. 9. Do the 06/02 projects involve commercial partners? Many of the 06/02 projects involve commercial suppliers, including Athens and various content providers. 10. Can digital certificates potentially improve usability? Digital certificates have the potential to provide a variety of services to users beyond resource access. The levels of difficulty and current development status makes it difficult to integrate at the current time. 11. What is the future of X.509 certificates for providing secure e-mail solutions within the UK? A lot of the difficulties in this area lie in the potential problems of accepting a digital signature as something that cannot be repudiated. An analogy was made with signing cheques with stamps or machines, rather than insisting upon an original handwritten signature. There is still a lot of work to be done to change attitudes and culture in this direction. 12. Can digital certificates be used for InterLibrary Loans / copyright licensing? ILL is a potential model for use of digital certificates. Current law in the UK allows electronic signatures to be used as a replacement for a handwritten signature as long as the parties involved have a contractual agreement for this practise. These laws are much tougher in other countries. There are specific issues about where the private keys used for digital signatures are stored, and how secure this storage is. 13. How can Access Management solutions address the Portal Problem? There is a general technical problem with users visiting a remote portal, and then trying to access a remote resource. Such services need an intermediary that tends to use short life proxies to allow users access. Cascading authority through a chain is a very complex process. To achieve a solution, a well-established trust model is required. The portal problem is being specifically addressed by the Grid community. 14. What happens to Athens when the contract expires? The procurement process for the next access management system is necessarily complex. There will be a well considered migration period and this was explicitly included in the procurement wording. 15. Would any of the speakers like to back one particular Access Management horse? John Paschoud would back Shibboleth, or a solution that utilises Shibboleth. Alan Robiette expressed an interest not so much in Shibboleth but in SAML, which is used by Shibboleth and other developments such as the Liberty Alliance. Alan perceives large scale architectures with reusable components that plug together and talk to each other. 16. Can we dismiss Microsoft offerings as a solution for HE Access Management? The main problem with the solutions currently offered by Microsoft are that they do not included the INSTITUTION role. This role is very specific to the education community, but it is unlikely that institutions would want to change infrastructure to suit e-commerce solutions. Passport is a third party solution, and one of the main problems with such a solution is that it is unacceptable for institutions to keep all access details in a single, remote location. A failure of this service could be crippling. 17. How do new solutions improve privacy for the user? Shibboleth creates a once only string for a specific transaction that will never be reused. These opaque session identifiers are essential. The Shibboleth structure is also important as the campus is the information holder--providers have to approach the campus for information relating to users. 18. Why should we use a national solution, and not the solutions offered by Library Management Systems? Solutions offered by LMS simply do not do the whole job. Institutions need a much wider and deeper solution. 19. Are we allowed to know who is bidding for the new UK HE Access Management service contract? No - the process must legally be kept private. 20. What is the role of project ANGEL? ANGEL has been dealing with institutional access management solutions throughout the life of the project, and has also been involved in assessing both PAPI and Shibboleth developments. Although the project ends in 4 months, the team continues to have an active interest in the arena and were keen to involve more of the community (hence the event). 21. How much funding has been provided for the 06/02 programme? The figure is believed to be around £650K. 22. What are the trust issues involved in devolved systems? Trust issues in devolved systems are very similar to those that are in place now as Athens has already devolved these issues to institutions. Different providers obviously have different attitudes towards levels of trust, but it is in their interest for their resources to be used so most are open-minded towards small potential amounts of abuse.