From: technews <technews@ou.edu>
To: "'it-fyi@listserv.ou.edu'" <it-fyi@lists.ou.edu>
Subject: it-fyi: Digital Certificates Key to On-Line Activities? (Chron o
Date: Mon, 6 Dec 1999 11:18:29 -0600
Do 'Digital Certificates' Hold the Key to Colleges' On-Line Activities?
By FLORENCE OLSEN
Facing a growing need to verify the identities of students and employees for
on-line transactions, a handful of universities have begun issuing high-tech
"digital certificates" that are nearly impossible for hackers to tamper
with.
Because the portable electronic identifiers are highly efficient at proving
to other computers that people are who their computers say they are,
officials at some leading research universities say that certificates have
dozens, if not hundreds, of potential uses.
Administrators hope to rely on the digital certificates as they make more
and more of their campus functions "self-service" -- for example, letting
students register for courses on line. And the certificates may let network
administrators determine who gets to take advantage of new high-speed links
created by projects like Internet2.
A digital certificate is a tiny, coded file with identifying information
about an individual or institution. Associated with the certificate is a
pair of encryption keys, one private and one public. The public key lends
its name to "public-key infrastructure" -- the software, policies, and
practices for managing digital certificates.
Research librarians may have the most pressing need for certificates, to
help their users gain access to data bases and electronic copies of journals
outside of their campus collections.
Most research institutions are not yet issuing digital certificates,
however, because publishers of the electronic data bases they subscribe to
don't have their servers set up to accept certificates, says Eric F.
Celeste, assistant director for technology planning and administration for
the Massachusetts Institute of Technology's libraries. The publishers see
little reason to invest in the technology until universities do the same.
"They look around and ask, 'Who's got certificates? Why should we spend
energy on this?'" he says.
That stalemate is what prompted M.I.T. and the Corporation for Research and
Educational Networking, a non-profit organization of colleges and
universities, to offer a service for validating the digital certificates of
higher-education and research institutions that meet CREN's strict technical
and business standards. By using the service, an institution could avoid the
complex business and technical agreements that it would otherwise need to
negotiate, on its own, to insure that its certificates would be accepted by
other universities and electronic publishers.
The new service, which created its first certificates last month, could have
the effect of "bootstrapping" colleges that might otherwise lag in adopting
an important technology for conducting transactions with other institutions
over the Internet, says Jeffrey I. Schiller, manager of network services for
M.I.T. and the principal architect of CREN's certificate service.
Many technology experts, Mr. Schiller among them, think that institutions
will quickly find new uses for digital certificates, and the encryption keys
associated with them, if the cost is reasonable and they learn how to manage
thousands of certificates.
As they get comfortable with the technology, some computing officials say
they may begin using it to put electronic signatures on official documents
or, in some cases, to encrypt sensitive personnel documents.
But cost could also affect how quickly universities begin using certificates
on a scale larger than that of the current pilot projects, campus-computing
officials say.
One day last month, Mr. Schiller was the center of attention for about three
dozen university officials who crowded into Room 302 of the Muckley Building
on the M.I.T. campus here. His equipment on that day was a specially
engineered certificate server that could be activated only by a physical
key. The small gathering watched as he turned the key and generated its
more-complex digital equivalent, a "root key" for creating CREN
certificates. The key was a sequence of 2,048 characters, making it "very,
very hard" for hackers to break, he said.
As Mr. Schiller carefully executed the initial steps in generating the root
key, several college officials who were present said the occasion was
"historic." After generating the key, Mr. Schiller used it to sign the first
CREN institutional certificate, which was issued to Princeton University.
CREN has since issued certificates to M.I.T. and the Georgia Institute of
Technology as well. The institutions will in turn use those to create
personal digital certificates for their students and staff and faculty
members. The certificates, stored in users' Web browsers, will be linked to
those of the institutions, verifying both the identity of the individual
user and the user's connection to a specific university.
In the case of a user who is seeking access to an on-line journal, for
instance, the certificate would act as a "simple, anonymous library card
that the publisher's server recognizes as valid because the certificate has
the CREN signature," says Judith V. Boettcher, CREN's executive director.
Digital certificates are designed to resolve problems like the ones facing
the libraries at M.I.T. About three years ago, students and employees at
M.I.T. began paying Internet-service providers commercial rates for
connections, which in many cases were cheaper that those offered through the
institution. That shift gave them addresses that didn't end in "mit.edu."
Soon many of them found they were barred from library resources because
their addresses could not be recognized as originating at M.I.T.
As a stop-gap measure, M.I.T. installed a proxy server, into which M.I.T.'s
library users can dial from anywhere to gain access to licensed data bases.
But before that could happen, M.I.T. officials had to persuade more than 60
data-base and journal publishers to accept requests routed through the proxy
server.
Most of the publishers agreed to do so. But M.I.T.'s Mr. Celeste says proxy
servers are "terrible" to manage, and M.I.T. looks forward to replacing them
with a digital-certificate system.
M.I.T. officials have begun talking about other uses, too, for the
university's CREN-based certificates. "As we roll out
certificate-authenticated services on campus," Mr. Schiller says, "alums may
want to get access to those services" -- such as permanent M.I.T. e-mail
addresses, which the university now offers to its graduates.
Several other research universities, among them the University of California
system and Columbia University, are planning in 2000 to expand pilot
projects in which they have issued digital certificates to some of their
library users.
So far, verifying a person's identity on the Internet is the only use for
which the University of California system has approved digital certificates,
says David Wasley, an information-resources official in the university
president's office.
Mr. Wasley thinks it could be several years before the California system is
able to rely on the technology for a variety of daily operations. "We really
want to get more practical experience and feedback," he says. Eventually,
however, system officials want to use digital certificates to guarantee "the
validity and auditability" of all university business conducted over the
Internet, Mr. Wasley says.
Georgia Tech intends to rely on digital certificates "across every regime,"
for administrative, academic, and research purposes, says Gordon Wishon,
associate vice-president and associate vice-provost for information
technology. The university, which is installing an electronic-procurement
system from the PeopleSoft Corporation, will need digital certificates to
prove that transactions have been initiated and authorized by the
appropriate people, he says.
Universities with Defense Department research contracts will probably be the
early adopters of certificate technology, says David J. Hogarth,
administrative assistant to the assistant provost at M.I.T. The department
has announced that it intends to have digital certificates for its four
million civilian and military employees and contractors by the end of 2002.
As with any new technology, the importance of having appropriate policies
and procedures in place for handling digital certificates can't be
overlooked, says Ira H. Fuchs, vice-president for computing and information
technology at Princeton, which will use its new digital certificates to
identify library users to electronic publishers whose data bases and
journals the library has licensed. Mr. Fuchs is also the founder and
president of CREN and the chief scientist of JSTOR, a non-profit
organization that offers a data base of back issues of academic journals.
Mr. Fuchs says the policy questions will "get very sticky" unless
universities think clearly about what they are doing before they start
issuing digital certificates to everyone -- leaving themselves "no way to
undo what they've done." Among the "sticky" issues, he says, is how to
handle the "escrow" keys, used for decoding, that institutions will need if
they plan to encrypt documents.
To realize the full potential of digital certificates, institutions will
need standards for managing different levels of access to digital
information, Mr. Wasley says. Budgetary and financial information, personnel
data, and even network services, for example, are resources for which
universities should offer different levels of controlled access.
Internet2's promise of providing a better network for scientific research,
he says, "will be meaningless" without access controls. "You don't want
high-definition television coming out of the dormitory, tying up Internet2,"
agrees Clifford A. Lynch, executive director of the Coalition for
Networked Information, a consortium that promotes the use of computer
networks. Digital certificates, he says, are the answer.
Cost, at least initially, could limit the use of digital certificates to a
small number of well-heeled research universities. Commercial outfits that
charge on a per-certificate basis -- even at 2 cents each -- may price
themselves out of the university market, according to Mr. Wasley, who says
"the cost model is very important." But if a university purchased a site
license for its entire population, he says, it "could issue three million or
30 million certificates -- it wouldn't change the cost."
CREN's certificate service is free to members of CREN and available for a
fee to non-members. Only about a half-dozen certificate-service providers
operate today, including those run by the federal government and by several
large companies.
How quickly electronic publishers and other users begin to accept electronic
certificates from CREN or other certificate authorities may ultimately
depend on how easy it is to set up servers that recognize the certificates.
Columbia's experience in a pilot project with the OCLC Online Computer
Library Center and JSTOR "leads us to think it's not that hard," says David
Millman, manager of research and development for academic information
systems at Columbia.
Leah Houser, the manager of OCLC's reference services, says her biggest
concern is the prospect of having to work with too many certificate-server
configurations put together by different colleges and universities. If
universities wind up using widely dissimilar technical approaches, she says,
managing certificates could become "onerous" for electronic publishers.
Electronic publishers also may have to be persuaded that digital
certificates are not just the latest gee-whiz fad. "We have to sell them on
the fact that this is not something that we're going to experiment with, see
what happens, and then throw it away," says Ron Hutchins, director of
engineering at Georgia Tech. Digital certificates will be the infrastructure
on which, he says, "our future depends."
_________________________________________________________________
Copyright 1999 by The Chronicle of Higher Education