eprints and authentication

From: Rzepa, Henry <h.rzepa_at_IC.AC.UK>
Date: Tue, 7 Nov 2000 16:19:57 +0000

Can I seek information about a topic which might constitute a new
thread?

I have been concerned for a little while about how one goes
about "authenticating" a document, lets say an eprint.
Authenticating means, inter alia, two things
a) Is the author authentic, and how can one check this
b) Has the article changed since the author last did so? If so, by whom?

I saw no mention of these aspects in http://www.eprints.org/software.html
but perhaps this topic is discussed, and if it is I would welcome
pointers (and apologize for this FAQ).

Although a rather different kind of eprint, I now have on my
computer some 30 Acrobat PDF files from various publishers
which constitutes most of my published opus of the last four
years or so. I downloaded them all via site licenses, and also
as their author. I presume my holding them is not inappropriate!

Curiously, none of these 30 Acrobat files seem to have much in
the way of any authentication mechanism. In this case, it would
be "did this publisher really issue this Acrobat file, and has it
been changed since they did so?" (I presume to trust the publisher
to authenticate the author(s) ). What I was expecting was perhaps
a digital signature, which Acrobat distiller can easily insert into the
whole document (based on so called X.509 certificates), but found
none in the random selection of the 30 articles I looked in.
Acrobat also has mechanisms to lock the article to prevent it from
being modified. These mechanisms too did not seem to be used by
any of my publishers. Which I found quite surprising,
maybe even distressing.

Dealing specifically with the eprint software, I note that
most any type of document could be accepted as an eprint format.
Some might be more suitable for authentication than others!

I also note from the eprint site that

"4.2.2 Validation /opt/eprints/site_lib/Validate.pm contains
routines which are called by the core code to ensure that uploaded information is valid."

I wonder what that could constitute? Does valid mean authenticity checks for X.509 certificates
for example, as provided by the author submitting the document? I presume valid
does not mean valid in the SGML sense? Although that too would be a jolly
good idea.

I concluded that "authenticity" is a rather neglected area. Any comments?
--
Henry Rzepa. +44 (0)20 7594 5774 (Office) +44 (0)20 7594 5804 (Fax)
Dept. Chemistry, Imperial College, London, SW7  2AY, UK.
http://www.ch.ic.ac.uk/rzepa/
Received on Mon Jan 24 2000 - 19:17:43 GMT

This archive was generated by hypermail 2.3.0 : Fri Dec 10 2010 - 19:45:57 GMT