Workshop on Rights Management: Workshop Summary

The Development of Authorization Systems: A workshop on requirements

Increasing amounts of knowledge and information are produced and made available only in digital form. Colleges, universities, libraries, publishers, and a variety of other parties associated with higher education share substantial interests in the means of producing and disseminating knowledge and information in digital form. Moreover, the qualities of digital information and digital technologies make it possible to improve the means of managing intellectual property, to enhance the quality of the educational experience, and to extend the reach of the academic enterprise to distance learners, alumni, and the general public. However, multiple obstacles impede the ability of those with stakes in higher education to integrate digital information into the larger academic information environment and to achieve these other related goals. One set of obstacles is the lack of well-developed systems of authentication and authorization as part of an overall access management system.

Systems of authentication and authorization.

For purposes of using digital information, systems of authentication and authorization consist of several component processes distinguished by whether they focus on the user or the provider of an information object. One process must authenticate the identity of the user by affirming that the person is who he or she claims to be. Another must authenticate the properties of an information object, ensuring that it is what it purports to be. An authorization process, on the user side, links an identity to a valid set of rights and duties in a role relative to an information object or set of information objects. For example, I may be authorized as a student of a university to use the Britannica Online. On the provider side, an authorization process links the properties of an information object with a set of terms and conditions for rightful use. Thus, for example, a publisher may authorize a journal for use by the faculty and students of a particular university, but not by its alumni. Use occurs at the intersection of these authorization processes, when a user is validated to exercise a set of rights and duties that meets the provider's terms and conditions.

For managing authentication processes in the digital environment, a number of technical facilities have emerged and are presently being implemented. For example, colleges and universities are turning increasingly to Kerberos as a means of authenticating individuals as members of their communities. Cryptographic methods, including digital watermarking, are available and a variety of object identifier schemes are under development for ensuring that digital information is authentic and uncorrupted. Less well developed, however, and in much need of sustained investment, particularly for digital information objects, are the means of authorization.

Rudimentary means of authorization, of course, do exist. For example, institutions now use, almost ubiquitously, authorization schemes based on Internet IP addresses. Under such schemes, the use of a computer bearing an IP address belonging to an institution is presumed to qualify an individual as a member of an authorized class of users for a particular digital information product or set of products. However, IP addressing simply turns information products on or off for an entire geographically-related population when the institutions may actually need products only for faculty or only for participants in a course of study, or when they may need differential access for a subclass of users, such as alumni. Just as the use of IP addressing as a means of authorization prevents colleges and universities from making the distinctions they need to make - and do make for information products in other forms - dependence on this means of authorization also hinders providers from usefully differentiating their products. They are also prevented from targeting specific markets and opening new markets, as well from experiencing the growth and efficiency of business that typically accompanies such differentiation.

If one can assume that there is momentum already driving the development of systems of authentication, and can focus on efforts to improve systems of authorization, several steps are needed. First, specific requirements for distinguishing user roles and product terms and conditions must be defined for specific applications. Second, institutions must gain experience with more sophisticated and flexible authorization mechanisms, such as digital certificate systems, that could be used to meet the specified requirements.

One way of gaining such experience is to deploy alternative mechanisms in a controlled and measure way, for example, as a substitute for the simple functionality provided by IP addressing. Given controlled implementations of alternative mechanisms and a set of requirements for expanding the functionality of these alternatives, the stage will then be set for a series of pilot implementations of certificates and other alternatives to IP addressing that make sophisticated distinctions among user roles and provider products.

To contribute to the process of formally defining requirements for more sophisticated authorization systems, the Digital Library Federation (DLF) and the Center for Research on Information Access at Columbia University, with support of the National Science Foundation, propose to convene a workshop to take place later this spring. In September 1996, Judith Klavans of the Center for Research on Information Access at Columbia University and James R. Davis of Xerox PARC convened a workshop on the subject of terms and conditions for digital works. The workshop being planned for this spring will build on outcomes of the earlier meeting and advance the program of DLF in three ways. First, the scope of the upcoming meeting will seek further to distinguish and define both terms and conditions of use on the provider side and roles, rights, and responsibilities on the user side. Second, participants in the upcoming meeting will define the system requirements concretely in terms of two specific scenarios representing cases that urgently need attention. Third, the workshop will seek, by concretely defining requirements, to contribute to related work elsewhere, such as the development of the Coalition for Networked Information (CNI) White Paper on inter-organizational access management. It will help identify needed research in programs such as the Digital Library Initiatives and NSF's Knowledge and Distributed Intelligence program, and it will provide a springboard for implementation projects.

One scenario to be explored in the workshop involves the exchange of scholarly information products in which academic institutions are the providers to users in the general public or at other academic institutions.

Consider that the Digital Library Federation seeks to integrate digitized works on the theme of "Making of America" from a variety of its participating institutions. Some of the DLF institutions, such as the Library of Congress and the New York Public Library, seek to provide their works generally to the public. Other DLF institutions have narrower goals, and aim to provide their works mainly to an academic constituency. Regardless of whom they regard as their main audience, all seek to distribute the work as broadly as possible while protecting the works they provide digitally from misuse. How can the roles of the expected user populations and the differing conditions under which the institutions operate as providers best be defined and matched without compromising the larger goal of effectively integrating the distributed collections of materials?

The other scenario around which the planned workshop will be built is the case of academic institutions licensing electronic journals from publishers or publishers' agents, such as High Wire Press or OCLC. Contracts today typically provide for "campus-wide site licenses." The workshop will develop a more complicated model. What sets of user roles might the licensing agents on campuses plausibly want to differentiate? What conditions would a publisher need to provide in order to support such differentiated access?

To ensure that the workshop is a manageable size for discussion focused on concrete outcomes; the workshop will be limited to 25 participants with known interests in these scenarios and relevant experience and expertise. Participants will include a mix of librarians, technologists, publisher/distributors, and legal specialists. The workshop will proceed according to the following plan of work:

The organizers expect this workshop to generate a set of requirements for authorization systems generalized from the concrete scenarios discussed. The requirements will take the form of distinct user roles associated with rights and duties and products differentiated to address these roles. The workshop is also expected to outline a set of implementation projects and to identify gaps in knowledge or technologies that require further research, perhaps in the context of the next round of NSF-sponsored digital library initiatives. The organizers will generate a summary report of the workshop that will be posted to the Web and publicized via appropriate distribution lists. The results of the workshop will also be presented for wider scrutiny and discussion at CNI, the Common Solutions Group meeting, and other forums as appropriate.

Support for travel

The National Science Foundation and the Digital Library Federation are the primary source of funding for the workshop and will cover reasonable travel costs for participants from university and other not-for-profit organizations. Airfare will be reimbursed in an amount not to exceed rates that include a Saturday night stay. Participants from commercial organizations will be expected to pay their own expenses. Further details will be available on a Web site for the conference, which will be constructed by the end of February.

For more information, please contact Don Waters or Judith Klavans

This page is located at http://www.cs.columbia.edu/~klavans/Cria/Current-projects/RightsManagement/summary.html

This page was last updated on 3/21/98