[OAI-implementers] oai security

Hussein Suleman hussein@vt.edu
Tue, 15 Jan 2002 10:55:10 -0500


i should start by reiterating that access controls were always an option 
for OAI interfaces - its "open" in the sense that the protocol spec is 
public and you are not restricted in where/how you implement it.

that aside, i do some harvesting but have not yet had the need for 
username/password provision so my code does not support it (and possibly 
will not for some time if ever). that does not preclude the possibility 
of someone else modifying my harvester to include such support (which is 
probably quite trivial, given that its in Perl)

harvesters are not difficult to write - they are usually only written by 
those people who want to build services on the exported data. if i was a 
service provider and you had data interesting to me, with HTTP access 
controls, i would definitely build support into my harvester for those 
controls in order to get to your data. however, until you find a service 
provider sufficiently interested in your data, having BasicAuth access 
controls can be one more hurdle. as an alternative i may even suggest 
using an IP access control list like Tom from UIUC just mentioned - its 
not difficult to implement and makes security primarily the concern of 
the data provider and not the service provider ...


Josie Imlay wrote:

> I am working on an oai server right now and the people that own the information don't want it getting in to just anyone and everyone's hands. I satisfied this using some simple http protocol level authentication. What I am woundering is if people writing harvesters out there are implementing username/password support at all. 
> Thanks,
> Josie Imlay
> _______________________________________________
> OAI-implementers mailing list
> OAI-implementers@oaisrv.nsdl.cornell.edu
> http://oaisrv.nsdl.cornell.edu/mailman/listinfo/oai-implementers

hussein suleman - hussein@vt.edu - vtcs - http://www.husseinsspace.com