One of the problems faced by access management federations as they are currently being developed is the ‘two worlds collide’ problem of establishing trust. For most federations, the trust relationship is currently defined by a legal or quasi-legal agreement between members (typically distinguished as Identity Providers and Service Providers) in the form of a signed set of rules, agreements or policies. A lot of good work and effort has been put in to getting these agreements right, and I think most of the national education and research federations have developed appropriate lightweight agreements that cover the necessary trust issues in a coherent (although often culturally slightly different) way.
The problem with a legal agreement is that at some point it is inevitable that the lawyers become involved…and lawyers and technologists simply don’t mix! I have lost count of the number of times I have seen a perfectly well defined technical clause tortured to death by lawyer-ese and turned in to something incomprehensible, often factually inaccurate and in some cases potentially capable of invalidating the contract. I cannot stress enough how important it is for anyone developing or thinking of signing any contract involving technology to take good advice from people who know what they are talking about when it comes to ‘techie stuff’.
Here are some of my ideas to help improve this situation:
- Librarians, DO ask your IT colleagues to run an eye over licenses before you commit yourself to them. They are more likely to spot those odd clauses where you are being asked to reveal student passwords or carry out convoluted and impossible identity management processes.
- If in doubt, leave the technology out. One of the simple ways of gaining consensus on these issues is to have the contract refer to signatories following a technical specification and asking an appropriately qualified technical person to draft this specification.
- Lawyers, contracts managers, license negotiators, DO seek technical advice as well as getting your documentation approved by your legal department. DON’T be afraid to admit where you don’t properly understand a technical term or process and get these sections properly written up. A badly worded definition of security could be a costly mistake.
- Technologists, DO try to think about documenting your processes in a way that can be interpreted by other people within your organisation to help effectively support this process.
It will be interesting to see how long federations rely on policy agreements to gain trust between members. The alternative of each organisation exposing their metadata with appropriate technical trust attached (such as digital signatures, better use of digital certificates etc.) is already possible but I don’t think education institutions within the UK would be ready for such a step. I also think that librarians and publishers in particular like the fact that the current federation infrastructure reflects the known licensing process. It would also mean we would have to be even more careful about license terms surrounding technology that are agreed in the standard bi-lateral agreements between library and publisher…and that is a big challenge.
I wonder if we will see a divergence of approach to federated access, with commercially valuable resources preferring the current legal framework of federations whilst other resources take advantage of more flexible technical trust? Time will tell…
No comments
Comments feed for this article
Trackback link
http://access.jiscinvolve.org/wp/legal-technicalities%e2%80%a6/trackback/