The scope of workshop discussions was shaped partly by the facts in the scenarios and the questions asked, but perhaps more significantly by the balance of viewpoints inherent in the list of invitees and the experience of the individual participants. Most had considerable insight into the perspectives and legal responsibilities of both the users (or institutions acting as agents for users) and the providers of information resources. Many had also been involved in the parallel development of the CNI white paper and knew that some technical components were being explored in depth through that exercise. At this DLF-NSF workshop, they tended to focus on high-level requirements and policy issues, rather than on the technical details of automating the terms and conditions of use, which had been the major concern of an earlier NSF workshop. Instead, they concentrated on the problems universities and research libraries face today in their capacity as publishers of digital content created at their institution and as intermediaries licensing access from publishers and publishers’ agents.
Participants brought substantial real-world experience to the discussion of the scenarios. Many had participated in the negotiation of licenses between libraries and publishers and were familiar with the economic realities that underlie such negotiations and with the practical problems of compliance. Others had struggled to establish what rights might pertain to materials in archival collections being converted to digital form and fully recognize that converting and making such materials accessible entail high costs.
The discussion focused on traditional scholarly resources and relations between academic institutions and publishers of scholarly materials. The market for such content is limited; little new money will be entering the system in the near term. The challenge is to take advantage of the opportunities offered by the electronic environment without “rocking the boat.” The market for other classes of material, such as works aimed at the business or consumer market, might present very different issues. As pointed out in the earlier workshop, however, whatever the framework for managing access to digital works and balancing the rights and privileges of user and provider, its success depends on user acceptance. Any system that manages access to the growing body of scholarly journal literature that publishers are making available in digital form, for example, must be accepted by the higher education community represented at this workshop or be doomed to failure.
The scenarios prompted discussions on a wide range of topics beyond the specific questions posed in the instructions for the breakout groups. Despite the limitation inherent in a one-day meeting, common themes emerged in the three breakout groups. These themes can guide the design and development of prototype systems.
This report summarizes the workshop discussions under three thematic headings rather than following the day’s agenda. Although the discussions did not focus on technical matters, they were certainly built on some assumptions about the technical infrastructure. The first section below describes some of these implicit assumptions; they derive primarily from the CNI White Paper. The factors that affect user acceptance are drawn together in the second section. The third section extracts points that address the specific questions posed for consideration during the breakout sessions. Unanticipated issues that do not fit into these categories are described in a fourth and final section.
A common framework for distributed access management is needed to avoid the proliferation of incompatible mechanisms developed to support specific arrangements. This framework must be general enough to support different mechanisms for authenticating users and must meet global requirements. It must permit access to be controlled at the level of individual objects (such as articles or books), not just at the entrance to a system or service that provides access to a large body of materials.
Today the most common method of controlling access is to filter by source address as defined by the Internet Protocol (IP). This mechanism is not adequate for the longer term. A limitation of particular concern to participants in this workshop is the exclusion of authorized users when they are away from an authorized site. In addition, IP source filtering cannot be applied when providing services to the general public or small organizations, such as schools, which may not have permanent IP addresses.
Universities need to develop campus-based authentication and authorization schemes for purposes other than access to licensed information resources. Authorization systems, such as that described by Russell Vaught in his presentation, are needed to control access to grades and other personal records, to charge for dining services or bookstore purchases, to permit entrance to libraries and sports facilities, and so on. In many cases, university libraries will be able to build on these capabilities to authenticate users and provide credentials acceptable to an access management system. In some cases, a library may take a leading role in developing a campus-based authorization scheme.
As Donald Waters pointed out in his introduction, the CNI White Paper has identified three approaches to campus-based authentication and authorization that can interface with remote access management systems. The first approach is IP source filtering. The second is the provision of a gateway or proxy server to which each user must authenticate (typically using an ID and password) and through which all interactions with the remote system are transmitted. In the third approach, a campus-based authentication or authorization system issues credentials acceptable to the remote system. An important example of a credential is a digital certificate, having a data format compatible with Web-based security protocols and used for the distribution of secure information over the Internet according to a standard known as X.509. An acceptable access management framework must interface with all three mechanisms, since no one solution will be able to serve all campuses.