Re: eprints and authentication

2000-11-09 Thread Rzepa, Henry 
>Why should a pdf be locked? Getting away from the idea that work is always
>on paper says to me that it should not be read-only *at the user end*. The
>emerging means of authentication described by Adrian should be an excellent
>way forward, but why the need to lock as well?
>
>I ask because for projects such as ours, which involves adding third-party
>reference links to pdf documents, locking is not insurmountable but is
>against the principle of what we are trying to demonstrate.


I prefer to use the term "signed".  This authenticates the document
(or a fragment of it) but does not prevent others from  "re-using"
it (although the original signature is now invalidated if they do
quote it with changes).
  A document can be signed many times by many people of course.

I am convinced that as we move into an "information anywhere and
from anywhere" era, the need to know which bit came from where
and when becomes essential.
--

Henry Rzepa. +44 (0)20 7594 5774 (Office) +44 (0)20 7594 5804 (Fax)
Dept. Chemistry, Imperial College, London, SW7  2AY, UK.
http://www.ch.ic.ac.uk/rzepa/

Re: eprints and authentication

2000-11-08 Thread Steve Hitchcock 

At 17:08 08/11/00 +, J Adrian Pickering wrote:

 but found
none in the random selection of the 30 articles  I looked in.
Acrobat also has mechanisms to lock the article to prevent it from
being modified.  These mechanisms too did not seem to be used by
any of my publishers. Which I found quite surprising,
maybe even distressing.


Are we going to standardise on PDF? This is pretty good 'electric paper'
but we must not think that published work is always on 'paper'. There is NO
excuse for not locking the document.


Why should a pdf be locked? Getting away from the idea that work is always
on paper says to me that it should not be read-only *at the user end*. The
emerging means of authentication described by Adrian should be an excellent
way forward, but why the need to lock as well?

I ask because for projects such as ours, which involves adding third-party
reference links to pdf documents, locking is not insurmountable but is
against the principle of what we are trying to demonstrate.



Steve Hitchcock
Open Citation (OpCit) Project 
IAM Research Group, Department of Electronics and Computer Science
University of Southampton SO17 1BJ,  UK
Email: sh...@ecs.soton.ac.uk
Tel:  +44 (0)23 8059 3256 Fax: +44 (0)23 8059 2865

Re: eprints and authentication

2000-11-08 Thread J Adrian Pickering 

At 16:19 07/11/00 +, you wrote:

Can I seek information about a  topic which  might constitute a new
thread?


It touches on an old one.

I promised readers that I would say when www.probity.org was launched. It
now is live and is concerned with developing widely acceptable means of
providing 'authentication' evidence. The site will develop as I mount more
reference/guidance information. The concepts are to be incorporated in the
e-prints project in order to address just the problem you highlight.

a) Is the author authentic, and how can one check this

The probity.org mechanisms do not completely address this as authentication
is aligned with *signing* in a manner that the courts will accept. This is
an area being addressed seperately (e.g. IETF). However, the X.509
certificates used are validated using the techniques probity.org is promoting.


b) Has the article changed since the author last did so?


The probity.org methods do address this precisely.


  If so, by whom?


More tricky. Essentially, if someone alters something then they are
creating something new that needs re-registering using the same techniques.

Curiously,  none of these 30 Acrobat files seem to have much in

the way of any authentication mechanism. In this case, it would
be "did this publisher really issue this Acrobat file, and has it
been changed since they did so?"


The probity.org scheme would mean that the publisher could declare
publically what the PDF digest is. You can independently check that your
copy is the same as their's precisely. Anyone else can do this too.


(I presume to trust the publisher
to authenticate the author(s) ).  What  I was expecting was perhaps
a digital signature, which  Acrobat distiller can easily insert into the
whole document (based on so called  X.509 certificates),


early days for this. But yes, this is a solution but it is a proprietry one.


 but found
none in the random selection of the 30 articles  I looked in.
Acrobat also has mechanisms to lock the article to prevent it from
being modified.  These mechanisms too did not seem to be used by
any of my publishers. Which I found quite surprising,
maybe even distressing.


Are we going to standardise on PDF? This is pretty good 'electric paper'
but we must not think that published work is always on 'paper'. There is NO
excuse for not locking the document.



I concluded that  "authenticity" is a rather neglected area. Any comments?


Here's another start. I'd appreciate reactions to www.probity.org too so
this can be used to serve this neglected area.

Adrian Pickering/
Electronics and Computer Science
University of Southampton

eprints and authentication

2000-11-07 Thread Rzepa, Henry 
Can I seek information about a  topic which  might constitute a new
thread?

I have been concerned for a little while about how one goes
about  "authenticating" a document, lets say an eprint.
Authenticating means, inter alia,  two things
a) Is the author authentic, and how can one check this
b) Has the article changed since the author last did so?  If so, by whom?

I saw no mention of these aspects in http://www.eprints.org/software.html
but perhaps this topic is discussed, and if it is I would welcome
pointers (and apologize for this FAQ).

Although a rather different kind of eprint, I now have on my
computer some  30  Acrobat PDF files from various publishers
which constitutes most of my published opus of the last four
years or so. I downloaded them all via site licenses, and also
as their author. I presume my holding them is not inappropriate!

Curiously,  none of these 30 Acrobat files seem to have much in
the way of any authentication mechanism. In this case, it would
be "did this publisher really issue this Acrobat file, and has it
been changed since they did so?" (I presume to trust the publisher
to authenticate the author(s) ).  What  I was expecting was perhaps
a digital signature, which  Acrobat distiller can easily insert into the
whole document (based on so called  X.509 certificates), but found
none in the random selection of the 30 articles  I looked in.
Acrobat also has mechanisms to lock the article to prevent it from
being modified.  These mechanisms too did not seem to be used by
any of my publishers. Which I found quite surprising,
maybe even distressing.

Dealing specifically with the eprint software,  I note that
most any type of document could be accepted as an eprint format.
Some might be more suitable for authentication than others!

I also note from the eprint site that

"4.2.2 Validation   /opt/eprints/site_lib/Validate.pm contains
routines which are called by the core code to ensure that uploaded information  
is valid."

I wonder what that could constitute? Does valid mean  authenticity checks for  
X.509 certificates
for example, as provided by the author submitting the document?  I presume valid
does not mean valid in the SGML sense?  Although that too would be a jolly
good idea.

I concluded that  "authenticity" is a rather neglected area. Any comments?
--

Henry Rzepa. +44 (0)20 7594 5774 (Office) +44 (0)20 7594 5804 (Fax)
Dept. Chemistry, Imperial College, London, SW7  2AY, UK.
http://www.ch.ic.ac.uk/rzepa/