(5/22/2009 2:01:00 PM) pbh has set the topic to: May 22nd conference call
(5/22/2009 2:04:57 PM) pbh: Hmm, deafining silence.
(5/22/2009 2:05:02 PM) Thomas Howell: yeah I know
(5/22/2009 2:05:27 PM) Thomas Howell: granted it is a holiday weekend
(5/22/2009 2:05:54 PM) Thomas Howell: a few folks said they couldn't come today, Dean for instance asked that I find someone to take notes
(5/22/2009 2:08:40 PM) pbh: Rich will be calling in RSN.
(5/22/2009 2:11:21 PM) pbh: Rich are you also calling in, or will you just be on chat?
(5/22/2009 2:13:00 PM) pbh: Rich and I started on walk-in?
(5/22/2009 2:18:40 PM) Thomas Howell: determine how to communicate about use cases.
(5/22/2009 2:19:22 PM) pbh: Here is our newest page https://spaces.at.internet2.edu/display/inclibrary/Use+Case+Subgroup but there is no content.
(5/22/2009 2:19:39 PM) Thomas Howell: https://spaces.at.internet2.edu/display/inclibrary/Use+Cases+--+Shib+and+EZproxy
(5/22/2009 2:24:31 PM) Thomas Howell: we've decided to use the wiki to catagorize the existing use cases (and eliminate dups)
(5/22/2009 2:24:52 PM) Thomas Howell: we determined that we need to have the wiki returned to the state where we can edit entires
(5/22/2009 2:24:56 PM) Thomas Howell: err entries
(5/22/2009 2:26:17 PM) Thomas Howell: do we want to limit the number of use cases?
(5/22/2009 2:26:34 PM) Thomas Howell: two types, general and the fine grain
(5/22/2009 2:27:43 PM) Thomas Howell: initially we'll focus on broad use cases
(5/22/2009 2:27:51 PM) Thomas Howell: later we'll work on fine grain cases
(5/22/2009 2:29:35 PM) pbh: some of my initial thoughts on the technology approaches for authentication of walk-in patrons. During the scheduling of the call I had failed to notice that I would be on vacation on the 1st. I do not intend to call in while taking a vacation day.
Library uses captive kiosk machines that don't allow ANY user to perform additional authentication. Access control may be based on the known IP addresses of the kiosk machines. Access control may be based on a credential associated with the kiosk machines Kerberos keytab X.509 certificate Library uses kiosk machines that provide a login button that allows students, faculty, and staff the ability to login. Other patrons operate under a guest account (or IP address identifier). There are typically concerns about having keyboard sniffers or other Trojan horses installed on such machines. They may become an attack vector used to gather username/password pairs of the user community. Are there best practices for how the machines should be secured? Do best practices address USB devices that can be placed in-line with the keyboard to act as a hardware based keyboard sniffer? Library uses kiosk machines that provide an optional login to all members of a particular federation. Other walk-in patrons operate under a guest account. Case 2 does not necessarily imply that Shibboleth is the authentication method for the authentication of the core community. This case is aimed at using Shibboleth as the sole authentication mechanism. The guest account would still be authenticated via Shibboleth, however, guest would not necessarily know the password of the guest account. How would campuses deal with external IdPs, in particular ProtectNetwork.org or TouchstoneNetwork.net which allow anyone in the world to sign up for an account? Library provides kiosk machines that normally operate as guest. Machines have card reader and patrons may swipe their cards for access to extended services. This is a refinement of case 2 (or 3) but the concerns of password sniffing are reduced. Although the card swipe information could be replayed for ongoing access to library materials, presumably an attacker would not be able to used the gathered information to access financial systems, email, or other applications. The assumption is that the card is not a smart card. It has a mag-stripe or optical barcode. Library provides wireless network access. Any patron can walk in with a device and gain network access. System must be able to distinguish location to determine access privilege. Other issues: Alumni usage? Does this entail different privileges than general walk-in community, but fewer privileges than current students and staff? Summer camp attendees that need access for the duration of summer camp. Are such groups generally extended different privileges than a simple walk-in, or are they functionally equivalent? What about patrons that should have different privileges than a walk-in, but are not part of the campus wide authentication system?
It seems to me that we should also flesh out some of the differentapproaches to privilege management. Are all walk-ins the same wrt tothe privileges being granted? If not what are some of the reasons thatdifferent privileges should be granted? (Affiliation, location, time,money)
Do we have a consensus on what we mean by "online resources"? I thinkwe are all including access to 3rd party or remotely hosted databasesor repositories. Are there other resources as well? (e.g. print ondemand, borrowing audio or video for later playback, ...)
(5/22/2009 2:31:27 PM) pbh: Sounds like my description 
(5/22/2009 2:33:20 PM) Thomas Howell: [for meeting notes, we are presently describing what a walkin is]
(5/22/2009 2:37:07 PM) Thomas Howell: issue of wireless oncampus/near campus
(5/22/2009 2:37:34 PM) Thomas Howell: [gray areas]
(5/22/2009 2:37:38 PM) Thomas Howell: matrix of users