150 likes | 315 Views
Certificate-based Authentication to JSTOR. Spencer W. Thomas Dec 1, 2001. What is JSTOR?. A digital archive of academic journals. Our constituents are Scholars Libraries Publishers Our mission is to Improve access Provide comprehensive and reliable archive Preserve content
E N D
Certificate-based Authentication to JSTOR Spencer W. Thomas Dec 1, 2001
What is JSTOR? • A digital archive of academic journals. • Our constituents are • Scholars • Libraries • Publishers • Our mission is to • Improve access • Provide comprehensive and reliable archive • Preserve content • Reduce library costs • Help publishers and societies make transition to electronic publishing
Who has access to JSTOR? Individuals in the scholarly community have access to JSTOR through their affiliation with: • Academic and Research Institutions “faculty, students, staff and people physically present on campus” • Publisher Individual Access Programs
Authentication versus Authorization • Cleanly separate (expensive) authentication from (cheap) authorization. • Authentication = “who you are” • Authorization = “what you can do” • Authentication informs authorization. • Authenticate once, authorize each request.
Current Authentication to JSTOR Users’ organizational affiliations (“site”) determine their access rights • IP-based • Scripted access • Remote access, publisher-mediated access • Username/password • Individuals (maintained by publisher) • Sites w/o stable or distinguishable IP
Authorization to JSTOR • Authentication produces “ticket” • Ticket is user’s authorization to use JSTOR • Ticket stored as “cookie” or in URL • Ticket defines access rights • Ticket has defined lifetime
Certificates: Another Authentication Option • Goal: provide a useful authentication option • When IP-based access is impractical • Mobile users • Authentication can be transparent • Certificate authentication happens upon entry to JSTOR, rest of JSTOR session is unchanged
JSTOR Certificate Pilot Implementation • Object: get experience with cert-based auth • Limited testing -- no “real users” yet • Certificate Issuer maps to “site” • Certs to be issued only to authorized users • Supports “DLF” LDAP query protocol • No support for revocation (yet) • Available at https://www.jstor.org/logon/remote
The Future of Authentication • Not going to get easier. • Certificates provide some hope • Mobile users • Reduce IP database maintenance • Potentially greater accountability
References • http://www.jstor.org/about/ • Terms & conditions, privacy policy, mission, etc. • http://www.jstor.org/about/authentication.html • Discussion of JSTOR authentication options (certificates section is generic at this point) • http://www.diglib.org/architectures/digcert.htm • “DLF” query protocol for cert authentication.