From the issue dated December 10, 1999

Do 'Digital Certificates' Hold the Key to Colleges' On-Line Activities?

Several institutions experiment with technology designed to identify who is using a computer

Cambridge, Mass.

Facing a growing need to verify the identities of students and employees for on-line transactions, a handful of universities have begun issuing high-tech "digital certificates" that are nearly impossible for hackers to tamper with.

Because the portable electronic identifiers are highly efficient at proving to other computers that people are who their computers say they are, officials at some leading research universities say that certificates have dozens, if not hundreds, of potential uses.

Administrators hope to rely on the digital certificates as they make more and more of their campus functions "self-service" -- for example, letting students register for courses on line. And the certificates may let network administrators determine who gets to take advantage of new high-speed links created by projects like Internet2.

A digital certificate is a tiny, coded file with identifying information about an individual or institution. Associated with the certificate is a pair of encryption keys, one private and one public. The public key lends its name to "public-key infrastructure" -- the software, policies, and practices for managing digital certificates.

Research librarians may have the most pressing need for certificates, to help their users gain access to data bases and electronic copies of journals outside of their campus collections.

Most research institutions are not yet issuing digital certificates, however, because publishers of the electronic data bases they subscribe to don't have their servers set up to accept certificates, says Eric F. Celeste, assistant director for technology planning and administration for the Massachusetts Institute of Technology's libraries. The publishers see little reason to invest in the technology until universities do the same. "They look around and ask, 'Who's got certificates? Why should we spend energy on this?'" he says.

That stalemate is what prompted M.I.T. and the Corporation for Research and Educational Networking, a non-profit organization of colleges and universities, to offer a service for validating the digital certificates of higher-education and research institutions that meet CREN's strict technical and business standards. By using the service, an institution could avoid the complex business and technical agreements that it would otherwise need to negotiate, on its own, to insure that its certificates would be accepted by other universities and electronic publishers.

The new service, which created its first certificates last month, could have the effect of "bootstrapping" colleges that might otherwise lag in adopting an important technology for conducting transactions with other institutions over the Internet, says Jeffrey I. Schiller, manager of network services for M.I.T. and the principal architect of CREN's certificate service.

Many technology experts, Mr. Schiller among them, think that institutions will quickly find new uses for digital certificates, and the encryption keys associated with them, if the cost is reasonable and they learn how to manage thousands of certificates.

As they get comfortable with the technology, some computing officials say they may begin using it to put electronic signatures on official documents or, in some cases, to encrypt sensitive personnel documents.

But cost could also affect how quickly universities begin using certificates on a scale larger than that of the current pilot projects, campus-computing officials say.

One day last month, Mr. Schiller was the center of attention for about three dozen university officials who crowded into Room 302 of the Muckley Building on the M.I.T. campus here. His equipment on that day was a specially engineered certificate server that could be activated only by a physical key. The small gathering watched as he turned the key and generated its more-complex digital equivalent, a "root key" for creating CREN certificates. The key was a sequence of 2,048 characters, making it "very, very hard" for hackers to break, he said.

As Mr. Schiller carefully executed the initial steps in generating the root key, several college officials who were present said the occasion was "historic." After generating the key, Mr. Schiller used it to sign the first CREN institutional certificate, which was issued to Princeton University.

CREN has since issued certificates to M.I.T. and the Georgia Institute of Technology as well. The institutions will in turn use those to create personal digital certificates for their students and staff and faculty members. The certificates, stored in users' Web browsers, will be linked to those of the institutions, verifying both the identity of the individual user and the user's connection to a specific university.

In the case of a user who is seeking access to an on-line journal, for instance, the certificate would act as a "simple, anonymous library card that the publisher's server recognizes as valid because the certificate has the CREN signature," says Judith V. Boettcher, CREN's executive director.

Digital certificates are designed to resolve problems like the ones facing the libraries at M.I.T. About three years ago, students and employees at M.I.T. began paying Internet-service providers commercial rates for connections, which in many cases were cheaper that those offered through the institution. That shift gave them addresses that didn't end in "mit.edu." Soon many of them found they were barred from library resources because their addresses could not be recognized as originating at M.I.T.

As a stop-gap measure, M.I.T. installed a proxy server, into which M.I.T.'s library users can dial from anywhere to gain access to licensed data bases. But before that could happen, M.I.T. officials had to persuade more than 60 data-base and journal publishers to accept requests routed through the proxy server.

Most of the publishers agreed to do so. But M.I.T.'s Mr. Celeste says proxy servers are "terrible" to manage, and M.I.T. looks forward to replacing them with a digital-certificate system.

M.I.T. officials have begun talking about other uses, too, for the university's CREN-based certificates. "As we roll out certificate-authenticated services on campus," Mr. Schiller says, "alums may want to get access to those services" -- such as permanent M.I.T. e-mail addresses, which the university now offers to its graduates.

Several other research universities, among them the University of California system and Columbia University, are planning in 2000 to expand pilot projects in which they have issued digital certificates to some of their library users.

So far, verifying a person's identity on the Internet is the only use for which the University of California system has approved digital certificates, says David Wasley, an information-resources official in the university president's office.

Mr. Wasley thinks it could be several years before the California system is able to rely on the technology for a variety of daily operations. "We really want to get more practical experience and feedback," he says. Eventually, however, system officials want to use digital certificates to guarantee "the validity and auditability" of all university business conducted over the Internet, Mr. Wasley says.

Georgia Tech intends to rely on digital certificates "across every regime," for administrative, academic, and research purposes, says Gordon Wishon, associate vice-president and associate vice-provost for information technology. The university, which is installing an electronic-procurement system from the PeopleSoft Corporation, will need digital certificates to prove that transactions have been initiated and authorized by the appropriate people, he says.

Universities with Defense Department research contracts will probably be the early adopters of certificate technology, says David J. Hogarth, administrative assistant to the assistant provost at M.I.T. The department has announced that it intends to have digital certificates for its four million civilian and military employees and contractors by the end of 2002.

As with any new technology, the importance of having appropriate policies and procedures in place for handling digital certificates can't be overlooked, says Ira H. Fuchs, vice-president for computing and information technology at Princeton, which will use its new digital certificates to identify library users to electronic publishers whose data bases and journals the library has licensed. Mr. Fuchs is also the founder and president of CREN and the chief scientist of JSTOR, a non-profit organization that offers a data base of back issues of academic journals.

Mr. Fuchs says the policy questions will "get very sticky" unless universities think clearly about what they are doing before they start issuing digital certificates to everyone -- leaving themselves "no way to undo what they've done." Among the "sticky" issues, he says, is how to handle the "escrow" keys, used for decoding, that institutions will need if they plan to encrypt documents.

To realize the full potential of digital certificates, institutions will need standards for managing different levels of access to digital information, Mr. Wasley says. Budgetary and financial information, personnel data, and even network services, for example, are resources for which universities should offer different levels of controlled access.

Internet2's promise of providing a better network for scientific research, he says, "will be meaningless" without access controls. "You don't want high-definition television coming out of the dormitory, tying up Internet2," agrees Clifford A. Lynch, executive director of the Coalition for Networked Information, a consortium that promotes the use of computer networks. Digital certificates, he says, are the answer.

Cost, at least initially, could limit the use of digital certificates to a small number of well-heeled research universities. Commercial outfits that charge on a per-certificate basis -- even at 2 cents each -- may price themselves out of the university market, according to Mr. Wasley, who says "the cost model is very important." But if a university purchased a site license for its entire population, he says, it "could issue three million or 30 million certificates -- it wouldn't change the cost."

CREN's certificate service is free to members of CREN and available for a fee to non-members. Only about a half-dozen certificate-service providers operate today, including those run by the federal government and by several large companies.

How quickly electronic publishers and other users begin to accept electronic certificates from CREN or other certificate authorities may ultimately depend on how easy it is to set up servers that recognize the certificates. Columbia's experience in a pilot project with the OCLC Online Computer Library Center and JSTOR "leads us to think it's not that hard," says David Millman, manager of research and development for academic information systems at Columbia.

Leah Houser, the manager of OCLC's reference services, says her biggest concern is the prospect of having to work with too many certificate-server configurations put together by different colleges and universities. If universities wind up using widely dissimilar technical approaches, she says, managing certificates could become "onerous" for electronic publishers.

Electronic publishers also may have to be persuaded that digital certificates are not just the latest gee-whiz fad. "We have to sell them on the fact that this is not something that we're going to experiment with, see what happens, and then throw it away," says Ron Hutchins, director of engineering at Georgia Tech. Digital certificates will be the infrastructure on which, he says, "our future depends."

https://chronicle.com
Section: Information Technology
Page: A47