-----BEGIN PGP SIGNED MESSAGE-----


[copied to the mail-security list...]

"Andrew Young" writes:

| > I've been reading Andrew Young's paper on JANET Authorisation and
| > Encryption services
| > (http://www.niss.ac.uk/education/jisc/acn/authent/young.html). I can 
| > see this service adding a much-needed layer of security for those operating
| > eLib services (such as SCOPE).
| I'm glad you think the paper is aiming at the right target!
| 
| > 1.Can a user (student) use this service from a computer outwith academia
| > (via commercial ISP?)?
| Yes. Secured versions of any user agents involved would work with any Winsock
| compatible internet access suite (this means pretty much anything, even 
| Compuserve). As discussed in section 5, unmodified versions of user agents
| would still be able to use some facilities. Use from home and while 
| travelling abroad was definitely something I was thinking of.

It's perhaps also worth bearing in mind the session level encryption
capabilities provided by the likes of the ssh software :- <URL:http://
www.cs.hut.fi/ssh/>.  I was surprised to see no mention of this, given
its popularity.  [Thinks... Anyone operating a JISC service who
regularly remotely logs in to Unix boxes from other sites really ought
to be using something like this!  And logdaemon, and TCP wrappers...]

This gives you the opportunity to create a properly authenticated and
encrypted connection between the punter's machine and the target
server.  It may then be possible to point their regular user agent
type program at their computer's "end" of the connection - depending
on the application protocol being used, e.g. telnet and X Windows are
OK.  This way the punter doesn't have to learn how to drive a new user
agent, or hack their existing one to bits to integrate the auth/crypto
support.

| > 2.If the service is open to the type acces mentioned in 1 above, can it be 
| > extended to allow certified access from outwith the UK? This would be very 
| > useful in delivering materials for distance learning.
| Extending the authentication server mechanism outside *.ac.uk would be 
| possible, though would require a lot of thought and planning. As implied by 
| 1 above, it does not matter where in the world a user is located. Therefore, 
| something equivalent to what you are thinking of may be possible anyway.

Presumably there would be scope for integration with the global
network of PGP keyservers and whatever the X.509 crowd eventually come
up with ?

In any case, much of this ground seems to have been covered already,
e.g. in the work on distributed keyservers which Piete Brooks and co
have been doing.  Piete - perhaps you could say a word or two about
this ?

| > 3. Will a WWW compliant system be up and running (completely) soon or is
| > there a bit of pilot testing to do?
| My document did not include consideration of WWW (there was a parallel study 
| by Andrew Cormack that considered that - I presume it's been published in the
| same way as my paper). What I described is just a concept, and even pilot 
| testing is a distant light (others can give a better answer to this than I 
| can)

<URL:http://back.niss.ac.uk/education/jisc/acn/authent/cormack.html>

Here's a sort of meta-comment on all of this :-

I think what people are doing in software terms for authentication and
encryption right now (in the cases where they do *anything*!) is
something like...

  * PGP for mail and news (not to mention BinHex and uuencode :-)
  * ssh for encrypted remote login, command execution and file
      transfer (but still mostly Unix users)
  * S/Key or OPIE for one-time passwords and no encryption,
      with remote login and file transfer, e.g. the logdaemon
      package - <URL:ftp://ftp.win.tue.nl/pub/security>
  * SSL for authentication and encryption of HTTP (Web) traffic,
      built-in (but crippled) to Netscape and Internet Exploder

Strikes me there's a lot of potential for code re-use here, though it
might be quite painful to try and hack things so that (for instance)
you get that uniform user interface when doing a remote login. Better
to concentrate on that authentication step and not try to create lots
of "specials" for UK HE ?  Ideally the proxy authentication code would
end up incorporated in the packages themselves, so that other people
apart from us lot could benefit from it ?

Speaking of which... surely the authentication server *must* support
encrypted connections, preferably with a large key size, and clients
acting as proxies on behalf of the end user (e.g. a JISC service being
logged in to) *must* always take advantage of this when sending 
passwords around ? :-)

Cheerio,

Martin

PS You talk about escrow (yuck!) of whole private keys on the
authentication server.  Perhaps it would be better if escrowed keys be
split into two or more parts, which may not all be held onsite. This
would make it a bit more difficult to abuse the system ?

PPS And what about Kerberos as the actual authentication protocol ?!


| Andrew 
| 
| P.S. please cc me on any followup as I don't subscribe to this list 
| -- 
| Andrew Young                        Work: [log in to unmask]
| Information Technology Institute     Tel: 0161 745 5257
| University of Salford               Home: [log in to unmask]
| Manchester M5 4WT                    URL: http://www.demon.co.uk/andy
| 



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBM66OtNZdpXZXTSjhAQExowP/R/UcKBFR3k6lQE1Veak7zhBOm5aa8+jW
zW6RSKegLfmJZmif8ih2hFoBJWE6z/tqwKs/Jg2niSzoui6xrDABbgS/2Lp9MUpw
L3ervd9UwYTMVyJgG2SSv5zcaoZ7uLz71L9nQtclyyc0RSNk66hlH1FzKDcF8cu7
3j9Jl1hiccM=
=qhDf
-----END PGP SIGNATURE-----



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%