About the Talk:
The arrival of the World Wide Web (WWW) brought about a higher visibility of basic information/document exchange. At the time of its release however, the WWW was intentionally designed to be an "open" specification for data exchange/access. The original design specifically states that security and access controls were left out of the WWW.
Increased usage of the Web for a variety of tasks that involve the sharing of data and files has raised the issue of incorporating access controls and data security into the Web delivery process. Vendors (in particular Netscape) have addressed a part of this by creating a structure through the Secure Socket Layer (SSL) methodology that provides for encryption on the wire. Vendors have not clearly provided the means for incorporating the Web browser into the enterprise infrastructure with authenticated "login". (Early SSL versions authenticate the Web server to the client browser but do not do the reverse - clearly identifying the user to the server.) This means that the enterprise is required to prompt for a username/password pairing in some manner, typically on an application by application basis. Also, many of the vendor-suggested solutions make the assumptions that environment is firewalled from the Internet and that the internal network is trustworthy. Both assumptions fail in regard to the Stanford networkenvironment.
The Stanford enterprise infrastructure uses Kerberos (currently version 4, migrating to version 5). The only browser that currently supports Kerberos for browser authentication is NCSA Mosaic, now no longer under development. Most vendors have indicated little intent to fit Kerberos directly into their browser product. Most vendors have indicated that they are simply waiting for the establishment of individual public-key certificates as a method of long-term user identification and authentication. The campus authentication system will evolve to support public-key methods as a general Internet public-key infrastructure emerges over the next few years, but this is not a near-term solution.
Stanford's Distributed Computing Group has established a web authentication proxy service in conjunction with a callback mechanism to provide method(s) of bringing the campus authentication infrastructure (Kerberos) and the campus Web environment together to provide a secure method for document transmission that can include user authentication for campus users.
This talk will describe the genesis of the service, the basis of the service, issues remaining with the service, and touch on other work ongoing in this area.
About the speakers:
Tim Torgenrud has been at Stanford since the fall of 1983. First as a student, then as a staff member in the central computing organization(s). Currently, Tim is managing the Infrastructure Delivery Group (IDG) within the Distributed Computing Group (DCG) of the campus Information Technology Systems and Services (ITSS) division. He answers postmaster@stanford.edu mail and keeps his hand in running the campus mailing list server at lists.stanford.edu as well...
Scott Brylow came to Stanford almost a year ago and signed on as Web Applications Development Manager. Prior to that, Scott toured the start-up scene for several years. Scott is currently working on such items as the WebAuth Proxy Service, electronic commerce for campus, and further integration of Leland Web Services into campus folks' daily lives.
Contact Data:
Tim Torgenrud
Distributed Computing Group
Sweet Hall 310
590 Escondido Mall
Stanford University
Stanford, CA 94305-3090
email: torg@Stanford.EDU
phone: (650)723-3940
Scott Brylow
Distributed Computing Group
Sweet Hall 335
590 Escondido Mall
Stanford University
Stanford, CA 94305-3090
email: sbrylow@stanford.edu
phone (650)725-1317