Home » Posts tagged 'authentication' (Page 2)

Tag Archives: authentication

Our mission

Free Government Information (FGI) is a place for initiating dialogue and building consensus among the various players (libraries, government agencies, non-profit organizations, researchers, journalists, etc.) who have a stake in the preservation of and perpetual free access to government information. FGI promotes free government information through collaboration, education, advocacy and research.

Federal Document Authentication–What level is appropriate?

As I am sure you know, we at GPO have been talking with the library community for several years now about our authentication efforts. This year, we were able to move beyond the discussion phase and implement authentication technology into some of our top GPO Access applications. In early 2008, we integrated an Automated PDF Signing system into our GPO Access workflows, and we successfully released the digitally signed and certified FY 09 Budget of the United States and 110th Congress Public and Private Laws documents on GPO Access. Digitally signing these publications was just the stepping stone for implementing our authentication initiative. Upon approval from publishing agencies, all publications ingested into the Federal Digital System (FDsys) will be digitally signed and certified in the future.

In addition, we will implement authentication technology at the granular level. Granular content, as described in relation to the FDsys, is content that is broken into smaller content units such as chapters, parts, or sections. Our next challenge is to identify at what level of granularity content should be authenticated and digitally certified for each content format. I am very interested in feedback on your thoughts on the level of granularity GPO should authenticate content to share with the team developing FDsys. I am also interested in learning more about your opinions and expectations for the future in relation to GPO’s authentication initiative. For more background on our authentication initiative, please visit http://www.gpoaccess.gov/authentication/.

In Case You Didn’t Already Know…

…the U.S. is not the leader in e-Government…at least according to a study released last week by the Brookings Institution. However, we do rank third, but we are “falling behind other countries in broadband access, public-sector innovation and implementation of the latest interactive tools to federal Web sites”.

Two other articles I read this morning also got me thinking about where we stand as a nation with digital government information: “Old-school Recordkeeping Meets the Digital Age” and “Government Data and the Invisible Hand“. The first article made me feel quite frustrated with our lack of digital preservation progress, especially after reading this quote:

“…lacking a statutory prescription for maintaining electronic records, most agencies print and file [records] as they would paper documents, according to a recent investigation by the Government Accountability Office…Under current regulations, NARA does not require agencies to maintain records in their native formats. So for now, many agencies still print e-mail messages and file the paper versions.Although the filing process is relatively easy, the practice has a major weakness: It eliminates the searchability of digital documents”. (Gee, ya think?!)

Envisioning all those emails being printed by government agency employees makes me think of Google’s April Fool’s joke: the “Google Paper” service!

I hope the next President and his administration will take the issue of e-government and digital preservation/authentication very seriously. Obama and McCain have touched on the issue a bit, including Obama’s vague vision of online government transparency:

“I want people to be able to know, today, this issue is going on…Today, President Obama talked about his proposal for $4,000 student college-tuition credits. It’s going to be going to this congressional committee, these are the key leaders in the House and Senate who are going to be deciding on the bill, here are the groups that support it, you should contact your congressman. The more that we can enlist the American people to stay involved, that’s the only way we can move an agenda forward.”

The second article touches on this issue as well, and urges the next Presidential administration to “embrace the potential of Internet-enabled government transparency [by reducing] the federal role in presenting important government information to citizens”. A profound statement, but read the rest of their argument as stated in the abstract:

“Today, government bodies consider their own websites to be a higher priority than technical infrastructures that open up their data for others to use. We argue that this understanding is a mistake. It would be preferable for government to understand providing reusable data, rather than providing websites, as the core of its online publishing responsibility.

Rather than struggling, as it currently does, to design sites that meet each end-user need, we argue that the executive branch should focus on creating a simple, reliable and publicly accessible infrastructure that exposes the underlying data. Private actors, either nonprofit or commercial, are better suited to deliver government information to citizens and can constantly create and reshape the tools individuals use to find and leverage public data. The best way to ensure that the government allows private parties to compete on equal terms in the provision of government data is to require that federal websites themselves use the same open systems for accessing the underlying data as they make available to the public at large”.

This makes sense if you think of it from the context of all the mashups, RSS feeds, and other interactivity with web content that exists. The rest of the article makes some other interesting points and counterarguments, such as

“A government data provider can provide a digital signature alongside each data item. A third party site that presents the data can offer a copy of the signature along with the data, allowing the user to verify the authenticity of the data item, by verifying the digital signature, without needing to visit the government site directly”.

Easier said than done? Is the “digital signature” they talk about the same as GPO Digital Authentication?

We are making some progress in e-Government and digital preservation of government information but we need to do better. Like Obama said, we can start by contacting our congressmen to voice our concerns and suggestions for improvement on e-Gov initiatives and digital preservation…because I don’t know about you, but I sure don’t want the government to use “Google Paper“.

Authentication: The Next Frontier in Online Government Resources

[Cross posted on LegalResearchPlus.com]

On a daily basis I visit various court and other government websites, often to locate recent opinions, regulations, or agency decisions. It is a common practice for law librarians and for any researcher who wants very recent sources or does not have access to commercial databases. Admittedly it is far less often that I consider whether the case I just downloaded is an authentic representation of the court’s decision.

But consider these two examples. The first from the California Courts website and the second from the website for the First Circuit Court of Appeals:

“The Official Reports page is primarily intended to provide effective public access to all of California’s precedential appellate decisions; it is not intended to function as an alternative to commercial computer-based services and products for comprehensive legal research.”

“Although every effort is made to ensure that the information contained on this site is correct and timely, the First Circuit does not warrant its accuracy. Portions of the information may be incorrect or not current. The information contained on this site should not be cited as legal authority.”

In 2007 the American Association of Law Librarians completed a survey of states’ online statutes, regulations and case law to determine which states, if any, were deeming their online material to be official and/or authentic. The survey, “State-by-State Report on Authentication of Online Legal Resources,” is available from the Washington Affairs Office of AALL. Survey authors Richard Matthews and Mary Alice Baish concluded that while many states considered the primary legal material that they put online to be official, no state had taken steps to authenticate those materials.

In a world where online research is becoming the norm, are courts (and other government websites) really keeping up with the needs of the people they serve by not offering official and authenticated versions of their opinions online?

-Kate Wilko

Authenticity

Who do you Trust? The Authentication Problem

How do we know when a digital document is “authentic”? While many in the library and academic communities hope that there will be a technological solution, the reality is that technology alone cannot solve the problem of authenticity. A report this week of research at a Chinese university illuminates one reason for this: technical tools are subject to failure, compromise, forgery, and hacking.

The article reports a flaw in an official federal standard that was originally devised by the National Security Agency and is widely used to create and verify digital signatures in e-mail and on the Web. In fact, it is embedded in every modern Web browser and operating system. The CNET article notes that, while the flaw that Chinese scientists discovered in the “Secure Hash Algorithm” is “theoretical,” it will eventually make it easier to forge electronic signatures.

But authenticity requires more than secure software. Even if we had a tool that could never be hacked and that would last forever, we would still only have part of a solution: the technical part. The other part of the solution is social: it is the issue of Trust.

Software provides the technical part of the solution

The technology of authentication provides a way to verify that a document is what it purports to be and determine if it has been altered or not. Document-creators can use software to create special files (called “hashes” or “signatures” or “keys”) based on the original document. These special files are typically stored with a “trusted third party” — neither the document creator nor the recipient. Document-users can then use software to check the authenticity of the document in hand against that “hash.” The software is able to determine only if the document in hand is identical to the original. Even the smallest change (e.g., the insertion or removal of a blank space) will result in a report that the documents are not identical.

Trust is the social part of the solution

But this technological check does not solve the authentication problem by itself. The check against the hash is only as reliable as the trusted third party. The software just gives us a technical means of shifting who we trust — instead of trusting the party that delivered the document to us, for example, we trust a third party that tells us that the hash is correct and authentic. If the hash isn’t authentic and unchanged, the check against the hash is worthless.

This concept of a trusted third party is, therefore, an essential component of the authentication chain. That should lead us to an important question: who will we choose as our trusted third parties? This is important because the tools only work if we can trust the third party to do its job. In the case of government information essential to our democracy, this trust has to last forever.

Who do you trust?

Ask yourself who in society is the most trusted third party in delivering information? The government? The press? Publishers? Technology companies like Microsoft and Verizon?

What about libraries?

Now ask yourself what we will do if we think that technological-verification is all we need to ensure authentication and we find one day that the tools have failed as described in the CNET article.

A Social Solution built on Trusted Institutions and Legal Deposit

Trust is a social phenomenon, not a technical one. What if, instead of putting all our faith in potential technological “solution” for ensuring authenticity of government documents, we instead relied on the existing infrastructure of depository libraries to ensure authenticity through their collective possession of multiple copies of digital government publications, distributed by GPO at the time of their publication under the legal-mandate of 44 USC?

This solution promises to be a sound, sustainable one because it relies on libraries as the trusted repository of information. Libraries have a long, well-established social role of providing information; people trust libraries because of it. Libraries have a vested interest in ensuring that the information they provide is authentic and people trust them to do so because it is their primary mission — not a byproduct of publishing or making money or the various missions of government agencies.

The trust people place in libraries in general can be increased in the digital environment by relying, not on one or two libraries, but on many libraries with different funding streams and missions. Any unforeseen compromise in one institution becomes a single error in a large system of information-provision. (See Article outlines bottom-up standards for digital preservation systems.) Even in the paper and ink world, forgeries are possible — though more difficult than in the digital world — and one important way we determine authenticity is by comparing multiple copies.

A different approach

This approach is subtly different from the approach of hoping for a technological solution to authenticity. It recognizes that the social issue of trust (along with the existence of multiple copies controlled by different parties) is paramount and the role of technology is secondary. The role of technology is simply to provide tools to help implement that trust. Indeed, if we used this social-trust legal-digital-deposit approach, libraries would still use technical tools (e.g., LOCKSS, PKI, state of the art hash technologies) to validate the integrity of digital files. Combine these tools with trusted institutions, legal deposit, and multiple copies under multiple jurisdictions and you have fail-safe a recipe for ensuring authenticity.

Summary

The problem with hoping for a technological solution was clearly articulated back in 2000 by Abby Smith, Director of Programs at the Council on Library and Information Resources.

Interestingly, the scholar-participants suggested that technological solutions to the problem [of establishing the authenticity of a digital object] will probably emerge that would obviate the need for trusted third parties. Such solutions may include, for example, embedding texts, documents, images, and the like with various warrants (e.g., time stamps, encryption, digital signatures, and watermarks). The technologists replied with skepticism, saying that there is no technological solution that does not itself involve the transfer of trust to a third party. Encryption — for example, public key infrastructure (PKI) — and digital signatures are simply means of transferring risk to a trusted third party. Those technological solutions are as weak or as strong as the trusted third party. To devise technical solutions to what is, in their view, essentially a social challenge is to engender an “arms race” among hackers and their police.
Digital Authenticity in Perspective in “Authenticity in a Digital Environment,” Council on Library and Information Resources, Publication 92. (May 2000).

James A. Jacobs, November 3, 2005

Archives