March 2010

The other night I had a dream that the government had declared that Wikipedia was the ultimate source of truth, and no-one was allowed to challenge its status as a factual source. The powers subscribed to Wikipedia were such that that if your Wikipedia page was updated with your obituary, you instantly died.

Instead of waking up in a blind panic about the controlling forces of a dystopian nightmare future, I was happy. My immediate thought was, “great, that immediately solves the resource and person identifier problem as everyone can use Wikipedia URIs”.

I definitely need to get out more.

One of the things that i often hear quoted at me when talking about the work JISC and TERENA are undertaking to improve the user experience of federated login is the work undertaken by Google on federated login. Now, don’t get me wrong, I’m definitely not a Google ludite, I use Google tools all the time (although Wave and Buzz really have done nothing for me). I also really appreciate the fact that Google as a company invest in this kind of research – it is important for us all.

However, my recent experience of usernames and passwords in Google-sphere does not convince me that e-mail address as the primary identifier is the right way to go, as it assigns an identifier function to that address in contexts that it was not intended for.

Let me demonstrate.

I’ve had a google account for ages, and I use the mailing list address for access management at JISC as the e-mail identifier as i use google docs etc for work. Very easy, makes sense. It is also a familiar pattern – I login in to Amazon with my hotmail account, similar user flow. All well and good.

However, Google are also in the business of offering e-mail services, and this is where it gets complicated. For various reasons, I recently decided to set up a Google mail account for the first time. Now it is true that you can set up Google mail from scratch without needing to link to your account used for other google activities – but then I would simply be creating multiple profiles to manage and would inevitably get in to a muddle – particularly as google automatically fires up access to all of its other services wherever you create an account.

So I set one up from within my existing user account. No problem – I created federatedaccess@googlemail.com. Fine. I then sent a message to that address to test it. Nothing came through. Huh? A few minutes later and ping! my test e-mail arrives at jisc-access-management@jiscmail.ac.uk. OK, something strange is happening. It turns out that Googlemail defaults to the e-mail address you use to login rather than the e-mail address you create. Weird, but OK – I can change that.

All done. Woah, now what has happened? Now my login name has changed at the top of the page! So who am I logged in as?

Further clicking assures me that I am still logged in against my normal Google account and can still access everything as normal. But I am confused. Which is my login? Do they have the same password? Which do I need to enter when?

A big plus is that they both work, but I still think that whole process is conceptually very confusing. I think this is where we need to think about where it makes sense to use an e-mail address as part of the credential process, and where it doesn’t. With Amazon, it makes sense to me as the e-mail account plays a primary role in the transaction process – it is where Amazon send transaction information. Within Google, I just don’t think this holds true. I think the process would have been much simpler if Google had originally allowed me to create a username / user identifier, and then offered me the chance to have this identifier as the first part of my email address (or not) when I started using Google mail.

By taking an external address and turning it in to a primary identifier, I think Google run the risk of creating a bad user experience and confusing the function of address (as locator) and identifier. To quote Natwest, there must be another way…

An interesting question for you all on a sunny thursday afternoon. I have been working on a small internal project for sometime to try and sort out unique identifiers for JISC. This is inspired mostly by the work I am doing to ‘FED-up’ our services but also to improve communication flow across the Executive.

I have my URI schema fairly well sorted out right down to the project level, but here I am stuck. My question:

Should project ‘identifiers’ (for administration) and project ‘tags’ (for communication) be one and the same?

I have come up with the following approaches:

1. ASSIGN A NUMERIC IDENTIFIER TO EACH PROJECT AGAINST PROGRAMME NAME. For example JiscDEPO/001. This will meet all my administration needs, can be assigned at the point of grant letter issue, avoids any clashes etc. etc. However it will mean that projects have several identifiers / tags and is non-intuitive so you will probably have to keep on looking back to your grant letter to remember if you are asked.
2. ASK PROJECTS TO DEFINE A TAG AT PROJECT PROPOSAL STAGE. We have already issued advice on tagging and it would be easy to collate these and issue grant letters against a project defined tag. This example would be JiscDEPO/origamipro to make up a project tag. The only real problem here is that tags will be created for projects that don’t get funded and there would be no way to distinguish a formally funded project from a project proposal.
3. COLLATE IDENTIFIERS FOR PROJECTS AT PROJECT PLAN STAGE. This is more of an administrative burden, and means there is no identifier in the funding letter, which I am quite keen to establish.

What do people think? Am I being over zealous trying to collate identifiers for administration with tags that have a different purpose in life? Am I strange to even be thinking about this at all? Is there ‘another way’? Ideas on the usual comments-postcard please.

You may remember a while back we were asking for comments on the Publisher Interface Study undertaken for JISC by Cardiff University and JISC Collections.

I thought it was probably about time I updated you on what we are doing with this!

The TERENA REFEDs group has set up a small working group to take forward the recommendations from the report. This will be in three stages:

1. The creation of a full business case aligned to the recommendations, with a particular focus on affordability and achievability for the sector (including publishers and institutions).
2. Following on from the acceptance (or indeed rejection!) of the business case, the development of appropriate branding and style guide using design experts.
3. Roll-out and dissemination as appropriate.

We are hoping this work will not only focus on the specific FAM implementation issues but also other problems such as user understanding and recognition of IP sessions etc.

In the meantime, lots of the other work will be going on. The SDSS group at EDINA are busily contributing to the Shibboleth codebase to improve the usability of the WAYF.

The UK federation has completed an indepth usability review of its own WAYF and is implementing the recommendations.

JISC Collections are planning some workshops to help inform the business case work. This is timely as it links in with other interface reviews such as the uBird study.

And me? Well I’m sitting on the TERENA REFEDS working group and will also be working closely with UKSG to help promote and discuss this work so keep an eye out for more on this!

So, it had to be done really. Having been super organised and managed to get son to bed, food in me, and exercise complete last night I found myself with time to watch Panorama. I really didn’t want to. I knew it would annoy me. Believe me, had it clashed with Glee, I would have jumped channel faster than JISC staff run in to the kitchen at the word ‘cake’.

The Digital Economy Bill is obviously getting a lot of attention, and a lot of criticism. I’m less interested in the rights and the wrongs of the government putting in place legislation to protect multi-million pound industries. What interests me is the pointlessness and the waste of money in putting in place legislation that the internet-savvy will gracefully step around.

It was the quiet, well-informed and unremarkable segment from Dr Richard Clayton from the University of Cambridge that for me was the crux of this programme. The legislation depends on rights holders and subsequently ISPs being able to identify that a breach came from a specific IP address, or IP range. It is ridiculously easy to mask, hide, confuse, change or disguise your IP address right now. I was very amused to see that traffic on Proxify had caused it to switch over to subscriber only mode straight after Panorama. Even if it wasn’t, the people who are interested in file sharing will quickly ensure this type of annonymity is as easy a clicking a box.

I often have ‘discussions’ with people about ensuring that technology can actually deliver the legal framework that is being built around electronic resources – normally in a licensing context. However, as different groups try different approaches to ‘control’ the wild wild web, we will see this disjuncture between legal limitations and technical possibilities come up more and more.

As I said, I don’t want to get in to the right and wrong arguments about copyright on an access management blog, but a couple of observations to throw in to the pot.

• Record companies seem to assume that every illegal download equates to a lost sale. There is plenty of evidence to suggest that illegal downloads can lead to sales, and the converse – if the illegal file was not there it does not necessarily mean the user would turn to a paid for resource.
• Panorama cited figures that clearly showed that illegal downloaders spend more money per year than those who always pay for downloads. I’m no marketing expert, but disenfranchising your most lucrative customer base seems a little odd to me…

I had a very interesting discussion yesterday with a colleague about how it might be possible to make federated access management work for public libraries. As usual, it gets down to the the two basic questions of access management:

• Who is managing credential information to allow authentication?
• Who is authorised to access the resource?

I’ll deal with the second question first as it is perhaps the more interesting. I know very little about how public libraries license electronic resources, but I do know that many are underused. To give you an idea of how the extent of information available online at libraries – have a look at Manchester Public Library’s e-resources.

Manchester Public Library currently manages access via library barcode number – i.e. you have to be a member of the library to access that resource. Interestingly, Manchester City Council is actually responsible for the identity management – you get passed to their website to login and then passed on to the resource.

I wonder if the licence for Manchester Public Library is for library members, or is based on some other criteria? The reason that this is an interesting question is that anyone in the UK is entitled to join Manchester Public Library. I can join from my home in Surrey online, and quickly get access to all of those resources. Fantastic for me! Not a great business model for the publishers. The only reason this is not a real issue is because very few people exploit these access paths.

A different model for public libraries may be not to look at licensing for members, but licensing regionally. Pricing is normally agreed based on regional population, but conversely access is offered to members – a set of criteria that does not add up.

So that is authorisation. Now, authentication.

It does make sense for public libraries to look at using FAM. Barcode access processes are often clunky, often insecure and it is yet another system for both libraries and publishers to have to manage.

If public libraries continue to offer access based on membership, the library or a body related to that library would have to run an Identity Provider in a federated access management environment, as they have the membership information. It may be possible for some libraries to make use of the work being undertaken by Local Authorities to provide federated access for schools – but there will still be technical implementation costs.

A more interesting model might be to exploit the planned interfederation between the UK federation and the Government Gateway. This will allow people with a ‘citizen’ credential within the Government Gateway to access resources within the UK federation. If we then assume that these citizen accounts contain some sort of standard location information (i.e. I live or work within the boundaries of Greater Manchester) it would be very easy to authorise all users against a regionally negotiated licence as opposed to a member negotiated licence. This could be achieved with very little expenditure on technical infrastructure by libraries, local authorities or publishers, but would require a change in the way the libraries negotiate licences. That surely has to be an interesting approach to explore?

I have a bunch of spreadsheets. Each spreadsheet represents one institution. Each spreadsheet contains a list of resources that institution subscribes to.

I want to turn this around so that I end up with one spreadsheet with each resource as column, and each institution that subscribes to that resource underneath it.

Can anyone suggest ways to make this happen?

So yesterday was the first programme meeting of the JISC AIM Programme, being ably led by Chris Brown. I won’t go in to too much detail about all of the nine projects, as you can see for yourself on the JISC website. Instead, I will try and tell you the things that struck me from the day.

Things I am excited about:

• I think I may have already mentioned that I am very interested in the RAPTOR project as I think the stats tool they are producing will provide real and immediate benefit to universities and colleges throughout the UK. They are looking for people who would be willing to product test for them – so do get in touch if you would like to be involved!
• The SMART project will look at the emerging UMA (User Managed Access) protocol that is part of the Kantara Initiative. I’m really pleased to see some real UK effort going in to Kantara, and as far as I know, this is the first project we have funded that really looks at the tricky problem of getting students firmly engaged as the ‘managers’ of their identity. This is definitely one to watch.

Things I am curious about:

• The Identity and Access Using Social Networking Technologies Project (phew, now you know why we use acronyms) is a fascinating look at how we might use the Friend-of-a-Friend vocabulary within the NGS and the UK federation access management approaches. I find this really interesting, particularly as it tackles the complexities of both describing people’s relationships rather than just their memberships and the tricky issue of delegation. As I mentioned on twitter, I’m worried about creating a user-friendly interface to allow this complexity to be managed. I’m sure the project team are up for the challenge though!

Things I am worried about:

The recurring theme of the day was, ‘how do we make institutions populate x…..’. Encouraging institutions within the UK to both use richer attributes sets and tackle the group management problem is something I am very keen on. It is something that is encouraged within the recently published Identity Management Toolkit but is a problem we have yet to solve. I would really like to see JISC fund some more projects to help universities and colleges take the next steps to have rich attributes and well manged group systems and would be interested to hear your views on what we should do next in this space to make this happen.

My advice to the projects was to really understand their use case. Do they have attributes they need everyone in the UK to adopt? Is there instead a small group of target institutions? Are there IdPs in other federations that would need to adopt the attributes? Is this a virtual organisation or larger community problem? I also encouraged the projects to use each other as test sites and to make use of the lovely people on the jisc-shibboleth mailing list who are always happy to come forward and give their opinions and support!

My final recommendation is that smaller VO style projects might be more interested in looking at lightweight metadata aggregation than working within the structures of formal national federations. Andreas Solberg has some really interesting tools and ideas on his blog that are definitely worth looking at. I’m interested in these concepts as they challenge our expectations of where ‘federation’ metadata is published, where it is aggregated and by whom.

Challenging our processes and exploring new ways of implementing ideas is what innovation is all about, so I very much look forward to seeing more from these projects from the innovation arm of the JISC Access Management stable!

A colleague of mine in JISC Collections recently said to me that what was a dealbreaker for me with publishers was not necessarily a dealbreaker for them. I totally understand this position – I’m obviously a bit puritanical about wanting publishers to adopt SAML! However, recent discussions on the lis-e-resources list got me thinking about whether access management should or shouldn’t be a dealbreaker for licensed resources. This is further supported by an article by Sarah Taylor in Serials.

During February there were three separate discussions on the lis-e-resources list about access management issues all reflecting the problematic situation of publishers who only offer allocated usernames and passwords or who have complex access routes in to resources. The question was posed – would you cancel a resource because of ‘bad’ access management? Is access management a dealbreaker, or not, and should it be?

When I first joined JISC I worked for the then emerging e-research ‘team’ (of 1!) and had very little to do with the JISC Collections team, who were busy building up a strong portfolio of negotiated deals for the UK educational community. So I was very interested to hear Lorraine Estelle presenting on the Nesli agreement process at the first ever JISC Away Day back in 2003. What impressed me most about Nesli was the fact that institutions agreed not to go to the publishers separately, but only used the Nesli route for the purchase of these specific journal deals. This gave the Nesli team it’s negotiating platform. Without this buy-in, it would have been difficult to get the publishers involved.

The JAM team have been working hard to persuade publishers of the benefits of adopting SAML as an access management route, and nearly all of the major publishers have now adopted. However, there are still a large number of smaller publishers that have not adopted, and will only use allocated username and password or IP access. This leaves librarians having to manage SAML access, IP access, EZ-Proxy routes, and publisher provided credentials – clearly a difficult management task and something that is not effective for end-users. Regrettably there are still a large number of JISC Collections resources that aren’t compliant – although SAML compliance is in the license it is not currently treated as a dealbreaker and publishers are allowed to come on board on the understanding they will adopt at a future date. In my experience, regrettably this future date rarely arrives.

There is no real reason for non-adoption of a SAML based access routes. There are a plethora of support options for publishers available, such as the offer from Semantico, the Atypon SAML SP, support from organisations such as VLE Middleware and the OpenAthensSP. Non-adoption really boils down to one thing:

if people will buy the resource without compliance, there is no incentive for the publisher to adopt.

So how can we get beyond this? Is it time for access management to become a dealbreaker? Or is it something that we can continue to live with and manage? I’d be interested in your views….