TIES logo - link to home page an EDINA Project - link to EDINA home page

Background

The education community is recognising the need to develop infrastructure for strong authentication, both within the individual institution and across the sector. This is driven partly by the business requirements of institutions to support services such as those operated by MIS departments, and partly by a recognition of the need for a digital certificate infrastructure in support of external collaboration activity, such as e-Science research and VLE management. One danger is that each development could proceed in isolation, resulting in a number of distinct 'Public Key islands'. Such a piecemeal approach would increase both the complexity and overall cost to institutions which allowed uncoordinated development. A national framework would appear to offer wide benefit, and the present programme should result in a strengthened case for unified solutions.

While the initial impetus for the development of a digital certificate infrastructure has arisen from the need to provide JISC national services with open, vendor-independent standards for security, a key contributor to the pace at which the technology will actually be deployed is the extent to which institutions perceive digital certificate authentication as a necessary tool for their core functions. To date, the main obstacle to the uptake of certificates has been that institutions regarded it as complex, expensive, and of marginal benefit. An important aim of the TIES project, therefore, will be to show that digital certificate deployment is neither unaffordable nor technically overdemanding. Moreover, possession of a digital certificate is likely to become an important, but routine, asset for the members of H&FE institutions.

A key issue to be resolved as one of the outcomes of TIES, is to find effective methods to encourage deployment of digital certificate technology throughout the sector. A recently published consultation paper on authentication and authorisation envisaged two scenarios:

  • one where some institutions generate and issue their own certificates (backed up by a JISC-signed certificate for the institution);
  • one where JISC generates certificates for the members of a number of institutions; each institution is then responsible for distributing the certificates to its members.

It could be argued that digital certificate technology is now mature, and straightforward to deploy both in Unix/Apache and Microsoft web-based services, and in standard browsers. Hence there is little to be gained by issuing certificates to individuals from a national service. If anything, it's simpler to do this locally. On the other hand, a single national CA (with institutions acting as RAs) has substantial benefits of simplicity and consistency [link CA and RA to terms in glossary] in the construction of a digital certificate infrastructure. While the technology for local certificate management may be mature, this convenience must be balanced against the operational problems that may arise where multiple certificate authorities are involved.

The determining factor is practicality: different solutions may be appropriate for different institutions; some institutions are likely to prefer to issues their own certificates; for others, the support of a packaged solution may provide a necessary reassurance. TIES will attempt to evaluate the relative merits of these arguments and will consider the problems of sector-wide deployment.

While the adoption of a new technology can be a challenging experience, there are many benefits to be gained by all parties:

  • Users: An identity certificate will enable a user to authenticate to internal or external JISC web-based services without encountering password challenges. Moreover, where the same technology is adopted within the institution as a routine security mechanism, the number of name/password pairs a user must remember to perform different tasks is reduced.
  • Institutions: While many institutions perform Athens registration with care, others permit their users to register anonymously by self-registration. For the former, the deployment of digital certificate will eliminate an administrative task; for the latter, it will reduce the risk of licence violation. Many institutions operate independent name/password regimes for different internal services. There are clear savings to be made in replacing these with a unified institutional security mechanism. Further, as the standards for VLE technology mature, many more institutions may find that the provision of digital certificates to their students becomes a necessary component of their Learning & Teaching service support. Other benefits, such as support for MIS services and participation in Grid projects have already been mentioned.
  • JISC Information Environment: The need to 'join-up' the various unconnected elements of the JISC Information Environment is well recognised. The key problem in presenting each user with a set of integrated services (sometimes called the 'appropriate service' problem) hinges on access to comprehensive authorisation information. Most of the emerging solutions for authorisation build on the foundation of authentication services provided by a digital certificate infrastructure.

Home

Background

Contacts

Glossary

About TIES

Back to the top of this page