At JSTOR, there is a continuing effort to carefully balance our dual missions of providing broad access to the back-runs of important scholarly journals and offering a secure, long-term archive for the content with which we have been entrusted. Part of this ongoing effort includes actively participating in community efforts focused on facilitating broad access using more secure authentication and authorization methodologies. For the past several years, we have been working with various standards groups to investigate different initiatives that might offer alternatives for our participants to our current IP-based authentication mechanisms. While IP-based authentication is certainly the most popular form of access in the academic community at this time, the impact of the inherent vulnerabilities of this form of authentication (i.e. unauthorized access to licensed resources via open proxy servers¹) has led us to intensify our efforts to examine acceptable alternatives.

Since 2002, JSTOR has been working closely with the developers of Shibboleth, an Internet2² research effort. Historians may recall that "shibboleth" was a word used in biblical times by the Gileadites as a verbal password to distinguish them from their enemies. Its intended purpose is similar today. In practical terms, the Shibboleth software provides an authentication and authorization mechanism for use between two entities - for our purposes, between institutions and information resource providers. The goals of the Shibboleth initiative are to create practical technologies, as well as a policy framework, that will allow institutions to easily share authentication information about users and their authorization attributes (i.e. access privileges). Shibboleth software is standards-based to ensure interoperability amongst disparate systems and is publicly available in open-source form, as a plug-in to Apache, the popular open-source web server software. Shibboleth is currently at version 1.1, which means it has been tested sufficiently to be usable and dependable. The base software handles the virtual "handshake" between origins (typically institutions) and targets (typically information resource providers), and provides for attributes and entitlements (such as access privileges) to be exchanged. This virtual "handshake" is done in a manner that still protects the privacy of individual users.

Currently, two federations representing a community of parties interested in exchanging authentication and authorization information via Shibboleth are forming to implement and test the software, develop common practices, and establish standards for these attribute exchanges. The first, InQueue, is intended for institutions which would like to experiment with Shibboleth, develop their prototype implementations, but not make those implementations "live." The second federation, InCommon, will be used for those that wish to create "live" implementations which require more stability, reliability, and predictability. So far, about fifteen institutions, including JSTOR, as well as a few other information resources, have joined InQueue. All interested parties have successfully obtained (experimental) access to JSTOR via Shibboleth.

We will continue our work with Shibboleth and the InQueue federation members. We think Shibboleth has the potential to be a good, long-term approach to replacing the existing, flawed IP address access control mechanism. We encourage our participants to learn more about the software, speak to their technology staffs, and determine if and when they would like to consider the use of this new and very exciting technology.

You can learn more about the Shibboleth project at http://shibboleth.internet2.edu, or by contacting JSTOR directly: support@jstor.org

---

¹ For more information on open proxies, please go to http://www.jstor.org/news/2002.12/open-proxy.html.

² For more information about Internet2, please visit their website: http://www.internet2.edu/.

Last updated on September 8, 2006