July 2009

I’ve been asked several times if it is possible to restrict access to users by geographical location using federated access. This is normally from a Service Provider who wants to restrict access to a resource to people physically present somewhere in the UK. My begrudging answer is, yes, there are ways of doing this. eduPerson has a locality field that could be populated, or you could ask for postcodes to query against. Of course this doesn’t ensure that the person is physically within the UK, only that the IdP believes that the person in question is normally resident in the UK.

To ensure that people are physically within a specific location, IP checking is normally relied upon. This in itself is not a particularly reliable process – machines in the UK often have IP addresses that would be flagged as belonging to another country and proxy servers and VPN access will get around all of these issues.

My main reaction however would have to be WHY, oh WHY would you want to try and do this? As you can see from the above, it is a fairly difficult thing to achieve, so you are immediately placing an expectation on your customer that they are likely to fail to meet. I also don’t understand why restricting access just to the UK would be perceived as more secure. Downloaded information could easily be passed beyond the boundaries of the UK in a instant because of that interweb thingamy I can almost I guess understand why BBC iPlayer would only be available in the UK because of license payer issues, but as a license player I think I should be able to access iPlayer when I’m in other countries, especially so I don’t miss the final episode of The Apprentice! The right is not a geographical one – it is actual a personal one based on my license fee payment.

In a world of ubiquitous electronic access, I think it is foolish to try and restrict access by location (and yes, I’m afraid that for me this includes ‘on site only’ access). Location is often inaccurately identified as the restricting element for access – but when properly analysed, you can nearly always find a better way of managing such a process. Does a publisher, for example, actual mean that they would be uncomfortable with students permanently resident overseas using a resource, rather than it can only be used in the UK?

I think it is such a shame that we are still dealing with these issues, and that it automatically cuts the publisher off from developing their resources for use on iPhones and netbooks and in other truly mobile locations due to what I see as an inaccurate interpretation of security. Lets hope we can move on!

It may sound like an airport novel, but when we were introducing FAM to the world (and by world I mean UK HE / FE) one of the scare stories that doubters threw around was that it was a single point of failure – if one thing goes wrong, then you lose access etc.

As a scare story it had little effect on IT staff – who obviously are used to planning for resilience, redundancy, disaster recovery etc – but it did worry Librarians who on the whole have to worry less about such issues. It was one reason why we were so keen at briefing events for institutions to send IT and Librarians together – so they could reassure each other of the worrying bits outside each others natural domains. Well good practice on the IT front should heavily mitigate the topic of today’s title – however…. Server Certificates…..well for the non tech out there, they play a similar role to passports and work in a similar way- ie if you get to the check in desk and yours is out of date, you don’t get to go anywhere. That’s it, no negotiation, no pleading just no flight, no holiday.

And it works the same way for Publishers as well….. – makes me almost wish we had a central certificate reminding service – and I don’t mean an email and letter that sometimes get ignored given the amount off spam and junk mail we get – but no, an annoying persistent phone call that just keeps on coming until the cert is renewed….

This week, I attended Mashed Library UK 2009 (Mash Oop North), and as the various tweets and blog posts will show, a good time was had by all! It was a good opportunity for me to get a bit of a break from all things access and identity management (although I did slip up a couple of times and voice definite identity thoughts) and I also got to play with Yahoo Pipes for the first time without just staring at the screen in horror and confusion.

As part of the event, delegates submitted ideas to the ideas bank for various different library mash-ups. I was interested to see how many of these were directly related to good old fashioned physical books and their management. In the world of JISC, we tend to spend most of our time thinking about the world of ‘e’, journals and more frequently at the moment e-books.

So why this focus? Is it that we have already done as much as we can with e-journals? Is it that publishers are doing it all for us? Is it that e-journal data is too locked down and not mashable? Or is it just that books are still the most relevant resource for libraries and students?

#mashlib09

I spent most of Friday at a meeting with the DCSF discussing some of the trickier elements of access to online services that they are grappling with. I came away most glad that I don’t work for a government department, but also appreciative of some of the problems that are facing to meet targets related to online access.

DCSF are required to provide online access to parents about their children by 2011 in a variety of ‘online reporting’ areas, including behaviour, attendance, attainment and performance. This smacks a little like one of the those goals that have not been thought through fully in terms of what parents actually want to see, and how they wished it to be delivered. For example, if the purpose of the online reporting is to show me that the school thinks my child has been in attendance for 80% of the year, whereas I think it is 100%, therefore offering me the chance to challenge official records that is all well and good. If the purpose of the online reporting is to tell me that my child is not in school – I’d rather have a phonecall please

The meeting talked around three key areas – credentialing, interface and claims assertion, with the third area being the most problematic.

The question of credentialing for parents is being addressed by an interfederation agreement between the Government Gateway and the UK federation. Schools and local authorities are already establishing services within the UK federation, but should not have the additional burden of having to provide credentials to parents. Many people will already have a Government Gateway login, perhaps without realising it (have you ordered your car tax, or done your tax return online?) and it is a sensible and secure credential to use. The main concern in this area is that if this work does not move forward quickly enough, schools will be forced to supply local credentials. In the longterm, the Government Gateway and Direct.gov are looking at ways of integrating other credentials in to this system – such as OpenID.

Interface is an interesting question as of course a familiar look and feel across all of the services will be beneficial for parents, but many of these developments are currently happening on an individual school by school basis. Direct.gov is recognising the benefits of single branding across public sector services, and pulling in parental access to this makes sense. Becta is encouraging schools to at least aggregate and work at a local authority or regional broadband consortia level, but this will be a space where more work is needed.

The most problematic area is managing the policy around asserting your claim as parent to a child. Technically, this is a very simple process as claims-based access fits in well to the current architectures for the UK federation and Government Gateway. Managing the process whereby a claim is validated, a token for this claim applied, and most importantly claims revocated where appropriate is very complex. It is recognised that this is actually badly managed in the real world at the moment – the Local Authority where I wish to send my child to school accepts my school application without much identity validation or checking. This information is then sent on to the school, and I become the primary contact for that child. Therefore, my claim as parent is fundamentally self-asserted. It is assumed that a stronger validation is needed in the online environment, but this assumption needs further work to establish a process. This may need stronger identity validation at the school application point, or could be a weaker process where tokens are handed out to children via the ‘book bag’. Schools also recognise that they tend to default to creating a core relationship with the mother – a fact that is often not valid in today’s environment.

Overall, I think more work is needed on the services that parents will feel are beneficial for online access. I’d much rather see combined online access for the school application with payments for trips, consent forms for trips, payments for school meals, and all the other administrative functions of being a parent. Behaviour and reporting? Well there is a lot to say in this area for the old-fashioned school report and parents evening

…such as the idea of Google hosting NHS data …and times when you probably don’t…like if you are a spy on Facebook….

JISC digital conference was a breath of fresh air being particularly content focused.
Things I learned were:
That the for fans of the IT Crowd, the Internet really does reside in one box.

Galaxy zoo put a new spin on cosmic cloud computing

The Oxford great war archive really excited the historian in me.

The latter were interesting in the sense that both could benefit from federated access management and the way it can help with issues of provenance, but they would also have some issues brought up by it – particularly that of an additional possible barrier to participation. Fear of a login button(s) driving away users can be valid but that’s one of the reasons why JISC / Cardiff University recently held a publisher workshop to look at how best that can be implemented. Results I hope to be able to share by the end of the summer.