Lorcan Dempsey (I think) drew attention recently to articles on authentication
in Library Hi-Tech 15 (1-2)
I have just been reading the overview by Clifford Lynch which brings up
interesting issues - at least to me who doesn't know much about
authentication.
He suggests there are four methods of authentication (who the user is) and
authorisation (what they can access):
IDs and passwords - 'doing this for large numbers of users and large numbers of
services ... is unthinkable' Discuss in the UK context!!
IP address filtering - OK for access from fixed locations but not for users
with multiple accounts, from workplaces or from home. I suppose
off-campus use is much more common in the US, though increasing here.
Proxies - all (search) requests are validated before being sent on. This
apparently happens with Z39.50 and telnet. Main disadvantages are that
there is a single point of failure, single point of security weakness
and increased network activity and delays in processing.
Cryptographic certificates (X.509 standard) - an electronic ID card to present
to service providers as needed. These are awkward to issue, not very
portable, installing in a browser is not easy and are a 'nightmare' in
public labs, since they need installing before using a machine and removing
afterwards. Nevertheless Lynch thinks these are currently the best
strategy.
Is there UK experience of using proxies and certificates?
==========================================================================
Ian Winship
Information Services Dept. | e-mail: [log in to unmask]
University of Northumbria at Newcastle | phone: 0191 227 4150
City Campus Library | fax: 0191 227 4563
Newcastle upon Tyne |
NE1 8ST |
UK |
===========================================================================
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|