Issues in Science and Technology Librarianship | Spring 1999 |
---|
DOI:10.5062/F4F47M3Z |
URLs in this document have been updated. Links enclosed in {curly brackets} have been changed. If a replacement link was located, the new URL was added and the link is active; if a new site could not be identified, the broken link was removed. |
For many libraries today, the electronic journal has become an integral part of serials collection development. Some libraries have chosen to drop long standing print subscriptions in favor of their electronic counterparts to save both money and shelf space. Although this reasoning makes sense, there are still important and unresolved issues with electronic journals concerning costs, archival access, and authentication methods.
Because these issues are still hotly debated, it is imperative that librarians and publishers work together and seek a common understanding. One organization, The International Coalition of Library Consortia, has taken a leadership role in this effort on behalf of libraries by drafting their Statement of Current Perspective and Preferred Practices for the Selection and Purchase of Electronic Information (International Coalition of Library Consortia ICOLC 1998).
This document addresses fair use, archiving, pricing, contracts, licenses and authentication among other issues. Early evidence of this document's success can be seen from the official responses of major publishers such as Elsevier, HighWire Marketing Group, and MCB Press each agreeing with parts of the document. More importantly, the ICOLC has created a point of departure from which all parties can begin the process of establishing standards and practices for electronic journals.
For libraries serving dispersed constituencies the issue of authentication to electronic journals is paramount. The approach taken by many publishers to limit access options at the expense of some eligible users is understandable, considering their concern that profits from print subscriptions may be negatively affected by electronic journals. Unfortunately, this strategy of caution undermines the responsibility of libraries to provide access to all patrons.
Because IP filtering requires little maintenance, aggregators and publishers have adopted this form of access control, effectively shifting the onus of authentication to the subscribing library. As a result, many libraries must now be able to identify IP address information and the total number of computers associated with each subnet for their institution's network. To complicate this maintenance, some publishers require that the entire IP address be submitted for class B networks. For institutions using dynamic IP addressing, this information can be difficult to discern.
Indicative of health sciences libraries, our library has a dispersed patron base with many of our clinical users scattered among various hospitals and clinics in the St. Louis metropolitan area. As well, our library also supports distance education students in the graduate school of nursing from Missouri, Illinois, Wisconsin, Oklahoma, Texas, Florida and Puerto Rico.
Because IP filtering is the predominant method of determining who gets access to electronic journals, libraries such as ours with distributed clientele are at a disadvantage. Another factor our library must contend with is that our subscriptions to electronic journals are divided between those shared within the MERLIN consortium and those purchased uniquely by our library. This issue becomes relevant when discussing a proxy server.
As a librarian in a health sciences library, I am admittedly still learning about authentication strategies like many of my colleagues. As our library continues to add more electronic journal subscriptions, my thoughts immediately turn to the question of accessibility. The conundrum that many libraries, including ours, now face is how to work within the established definition of eligibility being based upon proximity rather than credentials. For libraries supporting off campus faculty, distance education students, and local students dialing in to the Internet from home, the current definition of eligibility established by many publishers doesn't work.
The intent of this article is to share one library's experience with learning about the issues of remote access and authentication. Different access methods will be discussed in the context of our library's particular situation and patron needs. Because we are still in the learning phase with this issue, readers of this article expecting to learn of a new authentication process will be disappointed. Hopefully by sharing our experience at Saint Louis University other libraries will realize that the problems they are facing are not unique to their institution.
Unfortunately or fortunately, depending upon your point of view, few electronic journal publishers offer password access to their journals. One of the major advantages of passwords being distributed by a publisher is that the user can access the electronic journal from any location because access is based upon the user's credentials. Another advantage is that this method shifts the burden of authentication to the vendor, freeing the library of the responsibility of providing IP address information for their institution.
When publishers and aggregators offer institutional passwords, libraries are faced with the question of how to manage and distribute these passwords to patrons. To address this issue, our library had originally decided to create a secure web page that would list links to electronic journals with their respective password information. A single password would be created for this page and only given out to our patrons after we had personally authenticated their status. To ensure protection for the publishers, we would change the password every semester. However some electronic journals, such as Lancet, require that only a librarian see the password to access their journal. This means that a librarian must physically log a user into the journal. As a result of this stipulation, our original plan to offer password information to our patrons behind a secure web page could not be used.
Because most of the electronic journals that our library subscribes to are IP filtered, we began the process of investigating strategies that would allow all of our users to be associated with our university Internet domain. There are two general approaches to funneling disparate users through a common Internet domain, credential-based access and a proxy server. Each method has distinct advantages and disadvantages.
X.509, still in the process of becoming a ubiquitous standard, is a fairly sophisticated authentication technique built upon public keys and certificates for establishing a user's identity. A user is required to provide an encrypted certificate with personal information about his or her identity. This certificate is then paired with the user's public key information that can be seen by other servers. Certificates can be created with special software or received from third party entities known as certification authorities. A certification authority is essentially an Internet notary, attesting to the identity of an individual. Certificates are sent via a web browser and authentication handled on a server that accepts X.509 certificates with an access control list of eligible users.
Although this approach to authentication has intriguing potential, it is still new and doesn't fit well for most libraries at this time. For our library, X.509 was not a serious option for many reasons. First, the infrastructure needed to establish and maintain an X.509 authentication system was too substantial for our library. There is also the problem that a certificate is associated with a specific computer. This model works for an individual's computer but not for public computers that are shared. For the distance education student using a computer in a public library, the X.509 certificate is not a feasible solution. There is also the issue of government regulation of X.509 cryptography with certain foreign countries. Legislation dealing with this issue includes the PROTECT Act [S 798], the E-RIGHTS Act [S 854] and the SAFE Act [HR 850]. (Center for Democracy and Technology 1999).
Another authentication scheme based on encrypted credentials is Kerberos (Massachusetts Institute of Technology 1998). Created at MIT and freely available, Kerberos uses hidden tickets that can be used over open networks for authentication. A central server with account information authenticates each ticket and then passes the user through to the resources on that server. Kerberos was developed with an emphasis on security and uses a strong cryptography protocol that can be used on insecure networks.
Unfortunately for our library, the paradigm for Kerberos is based upon the local central server housing the restricted resources. For databases loaded locally in the library this may be an option for authentication; however the electronic journals our library subscribes to are housed on aggregator and publisher servers. Another issue with Kerberos, like that of X.509, is that authentication is tied to a physical workstation and not to a user.
When considering a credential-based scheme with our library's authentication needs, we collectively concluded that this approach was not a viable option for our library at this time. The investment in establishing an access control server with a database of health sciences patrons was simply too large of an undertaking for our small systems department. However there are many authentication schemes of this type being successfully used by other libraries including the Big Ten's ICAAP Project, Bluestem at the University of Illinois and UCLA' s authentication system developed with Public Key Infrastructure (PKI).
Basically the proxy server works by masking remote users with the accepted IP address needed to access an electronic journal, database, or other resource restricted by an IP address. Users configure their browsers to access a proxy server and are prompted to authenticate themselves upon linking to an access-controlled resource. Authentication may require a user's name, social security number, student identification number, or other unique piece of information that will identify a user.
The most attractive feature of the proxy server is that a user may access a restricted resource from any location. Configuring a browser to use a proxy server is a relatively straightforward process that most patrons can do with little support.
As with all good things, there are negative aspects associated with a proxy server. The most salient problem being that some publishers and aggregators refuse access to their electronic journals via a proxy server. The American Association for the Study of Liver Diseases which provides access to Hepatology and Liver Transplantation and Surgery and The Federation of American Societies for Experimental Biology which publishes FJ Online, are two examples of publishers that both explicitly prohibit the use of a proxy server to access their electronic journals.
Another point to consider is that a proxy server can also be a potential bottleneck for access. Because all users are funneled through a proxy server, it represents a single point of failure if it becomes unavailable.
With respect to our library, many of us felt that the proxy server represented the best option for remote support. However as we began the investigative process into what was entailed with setting up a proxy server, we discovered that there were many practical and technical issues to consider and that this project would be better implemented on the enterprise level of our university rather than by our library.
Our library also discovered that a proxy server did not adequately address the issue of granularity, the ability to distinguish users based upon specific IP addresses and subnets. This is important because some publishers base access upon IP addresses for specific subnets and individual computers within a network.
Another factor for our library is that our electronic journals are comprised of both unique and shared subscriptions. This was a potential problem because our consortium was planning to develop a proxy server that would provide access for only shared resources. For our university to establish a second proxy server for unique resources would mean that users would have to reconfigure the proxy settings in their browsers depending upon the journal they chose to access. Obviously this would create too much confusion and work on behalf of the patron. Our other option would be for our university to create its own proxy server for all of our electronic journal subscriptions, effectively duplicating much of the work of the consortium proxy server.
Secure | Low Maintenance | Low Cost | Authentication Based on User | Authentication Based on Computer | Authentication Based on Location | Privacy Issues | Granularity | |
---|---|---|---|---|---|---|---|---|
IP Filter | ||||||||
Username/Password | ||||||||
Credential-Based | ||||||||
Proxy Server |
This utility, Web Access Management (WAM) developed by Innovative Interfaces, offers many features, including the ability to handle shared and unique resources within a consortium. WAM also provides usage statistics for patron groups defined by the library. To many of us, having our ILS function as a proxy server is an attractive option because it eliminates the need for a secondary access control server. One negative trade-off is the extra burden of more users being handled by our ILS server.
As I mentioned earlier in this article, readers who expected to learn of a new authentication process would be disappointed. In fact, I believe that this issue requires more than just technology to bring about a long term solution. It is my hope that by sharing our library's experience, we may help foster discussion on how to ensure that all patrons are able to access the materials they are entitled to use.
International Coalition of Library Consortia ICOLC. March 1998. Statement of Current Perspective and Preferred Practices for the Selection and Purchase of Electronic Information. [Online]. Available: {http://web.archive.org/web/20120101192037/http://www.library.yale.edu/consortia/statement.html} [May 5, 1999].
Massachusetts Institute of Technology. June 1998. What is Kerberos? [Online]. Available: http://web.mit.edu/kerberos/www/ [May 5, 1999].
National Center for Education Statistics. February 1998. Distance Education in Higher Education Institutions: Incidence, Audiences, and Plans to Expand. [Online]. Available: {https://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=98132} [May 5, 1999].
We welcome your comments about this article.