Copyright 1999, The Chronicle of Higher Education.
Reprinted with permission. This article may not be posted, published, or
distributed without permission from The Chronicle.
From the issue dated December 10, 1999
Do 'Digital Certificates' Hold the Key to Colleges' On-Line Activities?
Several institutions experiment with technology designed
to identify who is using a computer
By FLORENCE OLSEN
Facing a growing need to verify the identities of students and
employees for on-line transactions, a handful of universities
have begun issuing high-tech "digital certificates" that are
nearly impossible for hackers to tamper with.
Because the portable electronic identifiers are highly efficient at
proving to other computers that people are who their computers
say they are, officials at some leading research universities say
that certificates have dozens, if not hundreds, of potential uses.
Administrators hope to rely on the digital certificates as they
make more and more of their campus functions "self-service" --
for example, letting students register for courses on line. And
the certificates may let network administrators determine who
gets to take advantage of new high-speed links created by
projects like Internet2.
A digital certificate is a tiny, coded file with identifying
information about an individual or institution. Associated with the
certificate is a pair of encryption keys, one private and one
public. The public key lends its name to "public-key
infrastructure" -- the software, policies, and practices for
managing digital certificates.
Research librarians may have the most pressing need for
certificates, to help their users gain access to data bases and
electronic copies of journals outside of their campus collections.
Most research institutions are not yet issuing digital
certificates, however, because publishers of the electronic
data bases they subscribe to don't have their servers set up to
accept certificates, says Eric F. Celeste, assistant director for
technology planning and administration for the Massachusetts
Institute of Technology's libraries. The publishers see little
reason to invest in the technology until universities do the same.
"They look around and ask, 'Who's got certificates? Why should
we spend energy on this?'" he says.
That stalemate is what prompted M.I.T. and the Corporation for
Research and Educational Networking, a non-profit organization
of colleges and universities, to offer a service for validating the
digital certificates of higher-education and research
institutions that meet CREN's strict technical and business
standards. By using the service, an institution could avoid the
complex business and technical agreements that it would
otherwise need to negotiate, on its own, to insure that its
certificates would be accepted by other universities and
The new service, which created its first certificates last month,
could have the effect of "bootstrapping" colleges that might
otherwise lag in adopting an important technology for
conducting transactions with other institutions over the Internet,
says Jeffrey I. Schiller, manager of network services for M.I.T.
and the principal architect of CREN's certificate service.
Many technology experts, Mr. Schiller among them, think that
institutions will quickly find new uses for digital certificates,
and the encryption keys associated with them, if the cost is
reasonable and they learn how to manage thousands of
As they get comfortable with the technology, some computing
officials say they may begin using it to put electronic signatures
on official documents or, in some cases, to encrypt sensitive
But cost could also affect how quickly universities begin using
certificates on a scale larger than that of the current pilot
projects, campus-computing officials say.
One day last month, Mr. Schiller was the center of attention for
about three dozen university officials who crowded into Room
302 of the Muckley Building on the M.I.T. campus here. His
equipment on that day was a specially engineered certificate
server that could be activated only by a physical key. The small
gathering watched as he turned the key and generated its
more-complex digital equivalent, a "root key" for creating CREN
certificates. The key was a sequence of 2,048 characters,
making it "very, very hard" for hackers to break, he said.
As Mr. Schiller carefully executed the initial steps in generating
the root key, several college officials who were present said the
occasion was "historic." After generating the key, Mr. Schiller
used it to sign the first CREN institutional certificate, which was
issued to Princeton University.
CREN has since issued certificates to M.I.T. and the Georgia
Institute of Technology as well. The institutions will in turn use
those to create personal digital certificates for their students
and staff and faculty members. The certificates, stored in users'
Web browsers, will be linked to those of the institutions,
verifying both the identity of the individual user and the user's
connection to a specific university.
In the case of a user who is seeking access to an on-line
journal, for instance, the certificate would act as a "simple,
anonymous library card that the publisher's server recognizes
as valid because the certificate has the CREN signature," says
Judith V. Boettcher, CREN's executive director.
Digital certificates are designed to resolve problems like the
ones facing the libraries at M.I.T. About three years ago,
students and employees at M.I.T. began paying Internet-service
providers commercial rates for connections, which in many
cases were cheaper that those offered through the institution.
That shift gave them addresses that didn't end in "mit.edu."
Soon many of them found they were barred from library
resources because their addresses could not be recognized as
originating at M.I.T.
As a stop-gap measure, M.I.T. installed a proxy server, into
which M.I.T.'s library users can dial from anywhere to gain
access to licensed data bases. But before that could happen,
M.I.T. officials had to persuade more than 60 data-base and
journal publishers to accept requests routed through the proxy
Most of the publishers agreed to do so. But M.I.T.'s Mr. Celeste
says proxy servers are "terrible" to manage, and M.I.T. looks
forward to replacing them with a digital-certificate system.
M.I.T. officials have begun talking about other uses, too, for the
university's CREN-based certificates. "As we roll out
certificate-authenticated services on campus," Mr. Schiller says,
"alums may want to get access to those services" -- such as
permanent M.I.T. e-mail addresses, which the university now
offers to its graduates.
Several other research universities, among them the University
of California system and Columbia University, are planning in
2000 to expand pilot projects in which they have issued digital
certificates to some of their library users.
So far, verifying a person's identity on the Internet is the only
use for which the University of California system has approved
digital certificates, says David Wasley, an
information-resources official in the university president's office.
Mr. Wasley thinks it could be several years before the California
system is able to rely on the technology for a variety of daily
operations. "We really want to get more practical experience
and feedback," he says. Eventually, however, system officials
want to use digital certificates to guarantee "the validity and
auditability" of all university business conducted over the
Internet, Mr. Wasley says.
Georgia Tech intends to rely on digital certificates "across
every regime," for administrative, academic, and research
purposes, says Gordon Wishon, associate vice-president and
associate vice-provost for information technology. The
university, which is installing an electronic-procurement system
from the PeopleSoft Corporation, will need digital certificates
to prove that transactions have been initiated and authorized by
the appropriate people, he says.
Universities with Defense Department research contracts will
probably be the early adopters of certificate technology, says
David J. Hogarth, administrative assistant to the assistant
provost at M.I.T. The department has announced that it intends
to have digital certificates for its four million civilian and
military employees and contractors by the end of 2002.
As with any new technology, the importance of having
appropriate policies and procedures in place for handling
digital certificates can't be overlooked, says Ira H. Fuchs,
vice-president for computing and information technology at
Princeton, which will use its new digital certificates to identify
library users to electronic publishers whose data bases and
journals the library has licensed. Mr. Fuchs is also the founder
and president of CREN and the chief scientist of JSTOR, a
non-profit organization that offers a data base of back issues of
Mr. Fuchs says the policy questions will "get very sticky" unless
universities think clearly about what they are doing before they
start issuing digital certificates to everyone -- leaving
themselves "no way to undo what they've done." Among the
"sticky" issues, he says, is how to handle the "escrow" keys,
used for decoding, that institutions will need if they plan to
To realize the full potential of digital certificates, institutions
will need standards for managing different levels of access to
digital information, Mr. Wasley says. Budgetary and financial
information, personnel data, and even network services, for
example, are resources for which universities should offer
different levels of controlled access.
Internet2's promise of providing a better network for scientific
research, he says, "will be meaningless" without access
controls. "You don't want high-definition television coming out of
the dormitory, tying up Internet2," agrees Clifford A. Lynch,
executive director of the Coalition for Networked Information, a
consortium that promotes the use of computer networks.
Digital certificates, he says, are the answer.
Cost, at least initially, could limit the use of digital certificates
to a small number of well-heeled research universities.
Commercial outfits that charge on a per-certificate basis -- even
at 2 cents each -- may price themselves out of the university
market, according to Mr. Wasley, who says "the cost model is
very important." But if a university purchased a site license for
its entire population, he says, it "could issue three million or 30
million certificates -- it wouldn't change the cost."
CREN's certificate service is free to members of CREN and
available for a fee to non-members. Only about a half-dozen
certificate-service providers operate today, including those run
by the federal government and by several large companies.
How quickly electronic publishers and other users begin to
accept electronic certificates from CREN or other certificate
authorities may ultimately depend on how easy it is to set up
servers that recognize the certificates. Columbia's experience in
a pilot project with the OCLC Online Computer Library Center
and JSTOR "leads us to think it's not that hard," says David
Millman, manager of research and development for academic
information systems at Columbia.
Leah Houser, the manager of OCLC's reference services, says
her biggest concern is the prospect of having to work with too
many certificate-server configurations put together by different
colleges and universities. If universities wind up using widely
dissimilar technical approaches, she says, managing certificates
could become "onerous" for electronic publishers.
Electronic publishers also may have to be persuaded that
digital certificates are not just the latest gee-whiz fad. "We
have to sell them on the fact that this is not something that
we're going to experiment with, see what happens, and then
throw it away," says Ron Hutchins, director of engineering at
Georgia Tech. Digital certificates will be the infrastructure on
which, he says, "our future depends."
Section: Information Technology