JISC

6th June 2002

Call for projects in Authentication and Authorisation

To:
Heads of Further and Higher Education Institutions funded by the English, Scottish and Welsh HEFCs and FEFCs and by DEL, Northern Ireland

Copies:
Directors of Information Services
Learning Resource Managers
JISC Committee Members
JISC Executive
JISC Regional Support Centres
JISC Services
e-Science Regional Centres

Summary

1. This circular invites FE and HE institutions to bid to undertake a number of projects designed to give the UK experience of the emerging technologies in the authentication and authorisation area, based on open, vendor-independent standards. Further information about the scope of the call is contained in paragraph 16 below. Institutions have a period of six weeks to respond. The deadline for full proposals is 12 noon on Thursday 18th July 2002. Paragraphs 37-42 provide further details of the bidding process.

Background

2. Key to the development of a secure environment for the UK education community are robust authentication and authorisation services for staff and students accessing datasets and other sources of electronic information. With this in mind, the Joint Information Systems Committee (JISC) has, for several years, funded the Athens national service to provide a single username/single password access management system for the UK academic community. Athens is now being used by substantial numbers of students, staff and researchers in the education and health sectors of the UK and Ireland.
3. The JISC is currently investigating next-generation authentication and authorisation tools aimed at meeting the needs of the community for at least the next five years.
4. The JISC is committed to the adoption and promotion of open, vendor-independent standards particularly where infrastructural services are concerned. It is also committed to working with partner organisations in the UK and in other countries to ensure that, so far as possible, common standards are adopted internationally for the infrastructure underpinning education and research.
5. Athens, although it continues to provide a valuable service, is at present wholly proprietary and is only deployed to any significant extent in the UK and Ireland. So long as this situation persists, the JISC considers it unlikely that Athens will constitute the long-term strategic direction for the UK HE/FE and research communities. Alternative solutions based on open standards are developing rapidly, and it is these which can be expected to gain support in other communities which have not as yet adopted any particular access management system.
6. The JISC is actively involved in these new developments and the present call for proposals is, in large part, designed to give the UK experience of the emerging technologies in this area.
7. It is of course recognised that institutions require time to migrate from any established service to its successor. If or when a decision to terminate the Athens service is taken, the JISC will endeavour to give the maximum possible notice and, so far as resources permit, to assist in managing the transition so as to minimise the inconvenience to the community.
8. Against this background the JISC, through its Committees for the Information Environment (JCIE) and for the Support of Research (JCSR), intends to fund a number of proposals to advance its programmes of work in the areas of authentication, authorisation and related applications. These will for the most part be short (i.e. one-year), practically focused projects designed to explore technical and management issues in a number of areas detailed below, but some more substantial projects may be considered for longer-term funding where these address issues of greater complexity.
9. The programme is intended to address both the particular needs of the e-Science research community, and the wider needs of the JISC's work in developing the Information Environment. 
10. Proposals are invited from FE and HE institutions funded via the UK funding bodies. These may be from single institutions or consortia. Partnership arrangements may be developed outside the sector (for example with research council sites, commercial suppliers of IT products and services or publishers), though the lead body must be part of the FE or HE community and funds can only be allocated through the lead site.
11. JISC funded services are also invited to submit proposals in partnership with colleges and universities, in particular to explore the issues of authentication and authorisation for JISC services on a national scale. Services are reminded that it will be important not to duplicate work currently funded under any other JISC programmes.

Definitions and scope of the call

12. In the remainder of this paper the term authentication is used to mean the act of verifying that an electronic identity (username, login name etc.) is being employed by the person to whom it was issued; and authorisation to mean the process of determining, e.g. by verifying what attributes or roles are associated with that identity, whether the identity should be permitted access to a given resource. Traditional computer systems often tacitly combine authentication and authorisation, in the sense that the login process usually places the user in a context where his/her access rights are already established. In more complex distributed environments, however, authorisation may rely on services additional to the authentication process and it is logically regarded as a separate function.
13. The JISC has recently published a consultation paper on the future of authentication and authorisation for JISC services. The central recommendation was to move towards widespread use of personal digital certificates as the basic authentication technology. It was however recognised
    1. that more experience would need to be gathered on a number of practical and management issues concerning the use of certificates on a large scale in college and university environments; and
    2. that the authorisation problem was much less well understood than authentication, and would only be solved on a somewhat longer time scale
14. These two points were strongly endorsed by many responding to the consultation paper. A widely held view was that in addition to the need to pilot the use of the technologies involved, any national strategy should preferably allow for a "mixed economy" in which specified technologies could co-exist (perhaps over extended periods of time).
15. The JISC acknowledges these concerns and the present call for proposals is designed to accommodate them, while still maintaining necessary momentum in areas where progress is urgently needed. One aspect of the consultation paper which will be deferred is a procurement for a managed service to provide certificates on a large scale. The need for a future service of this kind will be kept under review as the needs of the education and research communities evolve.
16. Proposals are invited for projects in the following areas:

Authentication

1. If suitable proposals are received, a number of projects will be funded to explore the technical and management issues involved in using digital certificates on a significant scale within institutions. Partnerships with JISC services or, for example, publishers – to pilot the use of certificates for authentication to external resources as well as internal ones – would be of particular interest. These projects will be expected provide data on the economics of large-scale certificate use. Other specific factors which might be investigated include (but are not necessarily confined to)
   • certificate profiling
   • life-cycle management of certificates, including revocation mechanisms
   • key recovery mechanisms
   • use of certificates on public-access workstations
   • user mobility (on and off campus)
   • "mixed economy" working, i.e. use of certificates alongside more traditional forms of electronic credentials
   • development of open source tools to facilitate deployment of certificates in typical university or college environments
2. Either within one or more of the authentication projects described in (a) above, or as separate more technically focused projects, there is a need to assess emerging technologies which claim to provide better management controls than conventional certificate regimes. These include (but are not necessarily confined to)
   • short-lived certificates created "on the fly" from within other authentication regimes, such as the KX509 scheme from the University of Michigan or the IDsec proposal recently submitted to the Internet drafts process
   • key splitting, described in a paper by Boneh and co-workers and available in a public-domain reference implementation from Stanford University, as well as packaged in a commercial product (using a different key-splitting algorithm) from SingleSignOn.Net 
   • Micali's proposal for efficient revocation, which is now also being commercialised under the tradename Novomodo
     

   NB: The JISC is in touch with many of the individuals and companies involved and may be able to assist those writing proposals for technology pilots in making suitable contacts (see JISC contact details in paragraphs 44-45 below).

   Authorisation

   3. Two authorisation schemes from the Grid community, i.e.
      • the Globus Community Authorisation Server, and
      • the Akenti project from Lawrence Berkeley Laboratory

      are of immediate interest to the e-Science programme and projects to evaluate these are specifically sought. Both would probably best be investigated in the context of an existing Grid project or Grid support test-bed, although Akenti may be of more general long-term applicability and should be looked at with this in mind.

      4. Authorisation schemes targeted more at managing access to electronic resources include:
         • PAPI from the Spanish research and academic network (RedIRIS); and
         • Shibboleth from the Internet2 project.

         The JISC already has a project to evaluate Shibboleth and would welcome a parallel evaluation of PAPI in a suitable context.

         5. Other, possibly innovative, approaches to authorisation are not excluded, particularly if they address situations where current systems have clear shortcomings. One such area which the JISC believes has potential for a new and improved authorisation scheme is in learning and teaching, where one institution's learning materials and other support systems are made available to students from other institutions.

         Accounting

         6. The JISC believes that in the future there will be more demanding needs for resource accounting in distributed environments, and that standards-based approaches to gathering accounting data will become increasingly important. The Internet Engineering Task Force has selected a protocol (Diameter) for this purpose and its working group on Authentication, Authorisation and Accounting is actively working on further standardisation of this protocol and on specifying how it should be deployed. A study examining the relevance of this work to the interests of the JISC and the e-Science programme would be of interest.

         Partnership and Project Outputs (Evaluation and Dissemination)

         17. The JISC will oversee and monitor the progress of funded projects. This will include recognition that in groundbreaking work there may be failures as well as successes, but that all such experience can provide valuable information for the community. It is also recognised that aims and objectives as well as the technological context can change, and that individual project objectives may need to be renegotiated over time.
         18. The JISC will undertake evaluation in partnership with the funded projects, which will be required to co-operate with the programme evaluation. Each project will need to build in evaluation activity in its project planning. The scale and nature of this project evaluation will naturally be dependent on the size and scale of project activity, and should be appropriate to programme aims.
         19. The JISC will draw up a dissemination strategy in partnership with the projects and other JISC initiatives. However projects will be expected to engage in project-specific dissemination to the FE and HE sectors as appropriate (see paragraphs 29-31 below on Public Relations).
         20. The JISC will look for phased outcomes as the projects progress. The nature of the project outputs will be expected to:
             • provide a lasting benefit to the community;
             • have a scale and nature concomitant with the level of funding provided;
             • contribute to achieving the JISC's strategic aims.

             Evaluation Criteria for Proposals

             24. Proposals will be evaluated according to the following criteria:
                 • Quality of proposal and workplan - the extent to which the proposal addresses the issues and demands outlined in the call, and shows innovation as appropriate; the quality of the proposal will be assessed on the basis of the deliverables identified and the evidence provided of how these will be achieved (30%)
                 • Impact - the extent to which the project outcomes will be of overall value to the FE/HE and e-Science communities; included in the assessment under this criterion will be the need for sustainability of the work at the end of the project funding period (30%)
                 • Partnership and dissemination - the degree to which the proposal demonstrates an openness and willingness to work in partnership with JISC in forward planning, dissemination and evaluation, and the potential for extended partnership beyond the funding period (10%)
                 • Value for money - the value of the expected project outcomes vis-à-vis the level of funding requested, taking into account the level of innovation, chance of success and relevance to the target communities (15%)
                 • Previous experience of the project team - evidence of the project team's understanding of the technical and/or management issues involved, and of its ability to manage and deliver a successful project, for example through work done to date in the area or in related fields (15%)

                 Accessibility Issues

                 27. In keeping with the requirements of the Disability Discrimination Act and Human Rights legislation, and the wider access policies of the Funding Councils, it is expected that software and IT resources in institutions should be accessible to staff and students with disabilities. Proposals should, where appropriate, take account of accessibility issues.
                 28. Advice and recommendations for ensuring that IT based systems, tools and resources are accessible by all staff and students can be found in the resource section of the Technology for Disabilities Service (TechDis). Further advice and consultancy is available from the TechDis Centre itself.

                 Public Relations

                 29. The JISC will provide help and guidance to all funded projects regarding publicity, dissemination and evaluation activities.
                 30. The JISC endeavours to ensure that a coherent message is given to the community covering the breadth and depth of its activities. Projects will be expected to follow the JISC PR strategy and guidelines. These include advice on developing publicity materials and producing press releases, and will be issued to funded projects.
                 31. Projects will be expected to establish and maintain a web site for the dissemination of information about the project (the size and scale of which will of course be dependent on, and appropriate to, the level of resourcing of a given project).

                 Bidding - Eligibility and Level of Support Available

                 32. FE and HE institutions and departments and individuals from FE/HE institutions funded by the UK funding bodies are eligible to submit proposals.
                 33. Consortium partners external to FE/HE are welcome, but the lead partner must be a FE or HE institution funded by the UK funding bodies. Budgets for partners outside the FE/HE community cannot be met directly by the JISC.
                 34. As indicated earlier, the majority of the proposals funded are expected to be for projects of no more than one year's duration, although where there is a clear need for a longer workplan, projects extending into a second year may be considered.
                 35. In some of the areas outlined the JISC is seeking early results and here proposals to carry out short studies, or short focused projects involving new work, of up to six months' duration will be particularly welcome.
                 36. As general guidance the maximum amount allocated to any one project is unlikely to exceed £150,000 for a one-year project, but the committees are hoping to fund a mix of shorter and longer projects with an average budget per project of less than this figure. All projects are encouraged to start as soon as possible from 1st October 2002. Funds available will not cover institutional overheads. Where possible, institutions are invited to make contributions to the work.

                 Bidding Process

                 37. The content of the bids should reflect the evaluation criteria set out in paragraphs 24-26 above. To assist in the assessment of all proposals against a common baseline, all proposals should be structured as follows:
                     
                     
                     1. Introduction - A brief outline of the nature of the work to be undertaken, the length of the project, the proposed start date (projects are encouraged to start as soon as possible) and a summary of how the project will contribute to the programme.
                     2. Project description - A description of the intended project plan, timetable and deliverables, and an explanation of how the detailed project outcomes will be of value to the JISC community.
                     3. Budget - A summary of the proposed budget which in broad outline identifies how funds will be spent over the life of the project, including a breakdown of funding across academic years (1 August to 31 July); staff costs, equipment and consumables, travel and subsistence (if applicable), dissemination, evaluation and other costs should be itemised and an indication of any institutional contributions (e.g. overheads, equipment, staff time) should also be provided.
                     4. Capabilities - A summary of evidence demonstrating ability to undertake the project, for example brief statements of the institution’s and project team's experience and achievements relevant to the proposed project.
                     5. Key personnel - Names and brief career details of staff expected to contribute to the project, including qualifications and experience in the area of work proposed and evidence of any projects of similar nature successfully completed.
                 38. Proposals are limited to a maximum of 10 A4 sheets, plus cover sheet (see Appendix A to this Circular) and appendices, together with a letter of support from an authorised senior manager at the institution – in the case of consortium proposals, one from each member institution. Appendices should only be used to provide supporting information. The proposal structure outlined above should be contained within the 10 A4 sheets. Only the first 10 pages of the main body of the proposal will be used to evaluate submissions. Bidders are therefore advised not to exceed this 10 page limit.
                 39. Hard copies of the cover sheet, project proposal, any appendices and letter(s) of support should be sent to:
                     
                     Rachel Merrett
                     JISC Executive
                     Northavon House
                     Coldharbour Lane
                     Bristol, BS16 1QD
                 40. An electronic copy of ALL the proposal documentation (cover sheet, project proposal, any appendices and letter(s) of support) should also be sent to Rachel Merrett. 
                 41. The title of the email should indicate the host institution submitting the proposal and the title of the project:
                 42. Both hard copy and emailed proposals must be received by 12 noon on Thursday 18th July 2002. Faxed or late proposals will not be accepted.
                 43. The JISC will consider these proposals and endeavour to notify bidders of the outcome of the review process by the end of September 2002.
                 44. JISC will expect to work with the selected projects to agree the workplan and to ensure that the project budget is appropriate and suitably profiled: it may be necessary to negotiate some aspects of the project objectives and content with the project teams in the interest of maximising the expected benefits of the programme as a whole.

                 Further Information

                 44. Technical enquiries about the programme should be sent to:
                     
                     Alan Robiette
                     JISC Programme for Authentication and Security
                     30 High Street
                     Warwick, CV34 4AX
                     
                     Tel: 01926 409627
                     Email
                     (communication via email preferred)
                 45. General enquiries about the proposal submission process should be sent to:
                     Joseph Hutcheon
                     JISC Executive
                     Northavon House
                     Coldharbour Lane
                     Bristol, BS16 1QD
                     
                     Tel: 0117 931 7251,
                     Email
                     
                     or
                     
                     Rachel Merrett
                     JISC Executive
                     Northavon House
                     Coldharbour Lane
                     Bristol, BS16 1QD
                     
                     Tel: 0117 931 7124

                 ---

                 Cover sheet for proposals (NB: All sections must be completed)

                 JISC Circular 6/02: JISC programme in authentication, authorisation and accounting

                 Name of lead institution/organisation

                 List project partners (if none, please enter none)

                 Name of proposed project

                 Full contact details for primary contact Name: Position: Email: Address:   Tel: Fax:

                 Programme area(s) of proposal (Please indicate the programme area using the categorisation a) - f) in paragraph 16 of the Circular)

                 Length of project

                 Project start date (earliest start is 1st October 2002)

                 Total cost to the JISC over life of project

                 Cost of proposal to the JISC in each academic year (1 August – 31 July)

                 Outline project description

                 Names and contact details of any additional contacts

                  

             25. In the case of consortium proposals, the strength of the consortium will be considered. This refers to evidence of the commitment shown by the consortium partners to the consortium and the proposed project, and the degree to which the work proposed is aligned with institutional strategies and is shown to be embedded within the mainstream of the consortium. Proposers may wish to produce evidence such as partnership agreements, strategic plans, working papers etc. These may be included as appendices to the proposal and need not be counted within the 10-page limit.
             26. Notwithstanding the weightings of the evaluation criteria, proposals that fail badly on any one criterion may be rejected, and proposals showing exceptional strength in one or more areas with serious weaknesses in others may be funded. In making awards under this call the JISC will take into account the need for an appropriate, varied and affordable portfolio of projects and partners. It is not, therefore, necessarily the case that the projects with the highest raw scores will be those funded in all instances.
             27. Projects will be expected to follow the normal JISC project management guidelines. These include IPR and copyright guidance, adherence to good project management practices, regular reporting and participation of projects in steering committees. A Programme Manager based in the JISC Development Team will provide management support to projects. Project management guidelines are currently under review but an up-to-date copy will be issued to funded projects.
             28. The JISC does not seek to retain IPR in the project deliverables created as part of its programmes. However funding is made available on the condition that project outputs are made available, free at the point of use, to the UK HE and FE community in perpetuity, and that these may be disseminated widely in partnership with the JISC.
             29. It is intended that the deliverables created as part of this programme will, as appropriate, be deployed by the JISC as part of a long-term strategy for providing access to community resources and where this is possible arrangements for archiving of deliverables will be set in place. However, projects will also be encouraged to set in place mechanisms to ensure the continued availability and currency of deliverables after funding has ended. The JISC will not be able to commit to the long term delivery or maintenance of project outputs after the end of the programme, though guidance will be given about opportunities for continuation funding and embedding within institutions.