1 / 10

Certificate-based Authentication to JSTOR

This document outlines the fundamentals of JSTOR's authentication process, detailing its mission as a digital archive for scholars, libraries, and publishers. It explains the difference between authentication and authorization, how users access JSTOR through various means including IP-based and username/password methods, and highlights the implementation of certificate-based authentication. This approach aims to enhance accessibility for mobile users and simplify the authentication process while maintaining strict authorization controls. References for further exploration of the topic are included.

calix
Télécharger la présentation

Certificate-based Authentication to JSTOR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificate-based Authentication to JSTOR Spencer W. Thomas Dec 1, 2001

  2. What is JSTOR? • A digital archive of academic journals. • Our constituents are • Scholars • Libraries • Publishers • Our mission is to • Improve access • Provide comprehensive and reliable archive • Preserve content • Reduce library costs • Help publishers and societies make transition to electronic publishing

  3. Who has access to JSTOR? Individuals in the scholarly community have access to JSTOR through their affiliation with: • Academic and Research Institutions “faculty, students, staff and people physically present on campus” • Publisher Individual Access Programs

  4. Authentication versus Authorization • Cleanly separate (expensive) authentication from (cheap) authorization. • Authentication = “who you are” • Authorization = “what you can do” • Authentication informs authorization. • Authenticate once, authorize each request.

  5. Current Authentication to JSTOR Users’ organizational affiliations (“site”) determine their access rights • IP-based • Scripted access • Remote access, publisher-mediated access • Username/password • Individuals (maintained by publisher) • Sites w/o stable or distinguishable IP

  6. Authorization to JSTOR • Authentication produces “ticket” • Ticket is user’s authorization to use JSTOR • Ticket stored as “cookie” or in URL • Ticket defines access rights • Ticket has defined lifetime

  7. Certificates: Another Authentication Option • Goal: provide a useful authentication option • When IP-based access is impractical • Mobile users • Authentication can be transparent • Certificate authentication happens upon entry to JSTOR, rest of JSTOR session is unchanged

  8. JSTOR Certificate Pilot Implementation • Object: get experience with cert-based auth • Limited testing -- no “real users” yet • Certificate Issuer maps to “site” • Certs to be issued only to authorized users • Supports “DLF” LDAP query protocol • No support for revocation (yet) • Available at https://www.jstor.org/logon/remote

  9. The Future of Authentication • Not going to get easier. • Certificates provide some hope • Mobile users • Reduce IP database maintenance • Potentially greater accountability

  10. References • http://www.jstor.org/about/ • Terms & conditions, privacy policy, mission, etc. • http://www.jstor.org/about/authentication.html • Discussion of JSTOR authentication options (certificates section is generic at this point) • http://www.diglib.org/architectures/digcert.htm • “DLF” query protocol for cert authentication.

More Related