Monday, November 27, 2000

LOGGING IN WITH . . . Clifford A. Lynch Public-Key Security Systems Hold Promise for Academe By FLORENCE OLSEN Clifford A. Lynch is worried about who you are -- and especially about how computers know you're really the person you claim to be. After 10 years as director of library automation for the University of California at Berkeley, Mr. Lynch became the director of the Coalition for Networked Information in 1997. He is also an adjunct professor of information management and systems at Berkeley. C.N.I. -- a coalition of colleges, research libraries, and technology and content providers -- advocates the use of advanced computer-network technologies such as "public-key infrastructure," which comprises the software, policies, and practices for managing digital certificates and digital signatures. A digital certificate is a small bit of code with identifying information about an individual. Associated with the certificate is a pair of encryption "keys," one private and one public. The two keys are used in mathematical computations that can certify a person's identity online, or create or verify a digital signature. Mr. Lynch responded to questions by e-mail. Q. Why is it proving so hard to establish people's identities online? A. At one level, it's not hard. America Online does it every day for millions of its users. But it is hard to do it in a way that gives people confidence. We want an infrastructure that we can trust for controlling access to financial systems or medical records, or for validating financial transactions. We want a method that allows us -- but does not require us -- to match a person's network identity with his or her real-world identity. Identity is pretty complex because it involves trust. If I have an ID card, or even a digital certificate, from Joe's Cheap Identities Inc., it may not mean much. A United States passport, on the other hand, is widely respected as an ID. It's a question of who issues the credentials and the procedures they go through. Institutions have to decide which certificates of identity they will trust. We really mean "identity" not only as a name or identifier of a person but also as the attributes of a person -- roles, job titles, courses enrolled in. A digital certificate from the University of California that just says my name is Cliff Lynch is of limited utility. For many purposes, computer applications need to know more -- whether I'm a student, an adjunct professor, or whatever. These attributes can be bound into certificates. But because attributes are much more volatile than names, attributes are probably better stored in a secure directory database. Once a software application has established a user's indentity, the application, if it is authorized to do so, can retrieve the user's attributes from the directory database. Q. Are government and higher-education institutions being too cautious or not cautious enough about using a public-key infrastructure for digital signatures and other purposes?. A. Both the federal government and the technologically "leading edge" institutions in higher education are moving at reasonable speed, given the complexity of digital-signature technology and the surrounding legal, business, and policy issues. The members of both Net@edu within Educause and the Internet2 middleware initiative are working on these issues. Deployment is a complex and lengthy process, with wide-reaching implications. The public-key infrastructure must be integrated into administrative, academic, and library systems that require authentication, identification, and signatures. Interinstitutional agreements must be negotiated when universities want to use these tools for external business. Q. Will the Electronic Signatures Act of 2000 accelerate the acceptance of digital signatures in higher education? A. I'm not an expert on this, but my sense is that -- at least initially -- it will cause more confusion. A digital signature is a very specific kind of computational identifier. The new law permits a wide range of techniques, including simply tracing out your name with an electronic pen, as legally acceptable means for "signing" many types of digital documents. Q. Is there a simple, practical way for colleges to set up the network infrastructure that digital signatures require? A. There are a number of options. You can buy the components of the infrastructure from several vendors, you can outsource the entire thing to other vendors, or you can choose several variations in between. Institutions are trying out a variety of these options. The hard parts all involve policy and deployment: Who gets certificates, what is contained in these certificates, and what is stored in separate directories? How are the certificates and directories linked together? How are names assigned? What unit or units within the institution can issue digital certificates and under what circumstances? Do people have to show up in person, with photo ID, for example? How do you get certificates securely into the "hands" of those who need them? When are digital signatures acceptable? Q. Do academic libraries need such an infrastructure? A. For any library that licenses access to network-based electronic resources on behalf of its user community, which is basically every academic library in the country, infrastructure is going to be important for authenticating users' identities and managing their access to online material. But publishers and commercial suppliers of networked-information resources are not ready yet. It's a chicken-and-egg problem. Public-key infrastructure will also be important in contexts like distance education, for courses shared by institutions that may require access to electronic reserve files, or for course-specific, limited-access Web sites. Digital signatures will become important in the future for signing works -- everything from theses to working papers -- and for verifying authorship. Libraries will get involved with this, and so will publishers and registrars. Easy-to-print version E-mail this article

Scientist accused of faking research data agrees to 10-year ban on federal funds Universities to create endowments to support physicians who teach Annual rankings of Canadian universities show impact of budget cuts Kazakhstan shuts down scores of universities 12 new chief executives announced Public-key security systems hold promise for academe Web site offers Korean-language instruction