Re: Cambridge Journals Online

[Daniel Feenberg <feenberg@nber.org>]

On Sat, 29 Jan 2000, David Fowler wrote:

> I agree. Why does Cambridge think that maintaining a userid/password
> system for its fulltext is helpful for a University? It's a bit
> archaic.... .IP recognition anyone?

As a publisher, I too am mystified by userid/password authentication for
online journal access. Userids work well for the protection of private
home directories, after all each user would be reluctant to jepordize the
safety of their own files by letting their own password get out. But the
user doesn't have anything at stake in keeping the userid/password for an
online service private. So a great deal of clerical and user time is
spent on a procedure which provides little security. In economics, we say
that this system is 'not incentive compatible'. 

What many of the participants in this industry don't realize is that this
is an 'authorization system' and not an 'authentication system'. The
publisher needs to design something attractive to the library to maximize
profits, since libraries should drop subscriptions that are a nuisance to
administer, or don't get used. Maximum security will not provide maximum
profits since it will discourage subscriptions. 

IP authentication makes more sense, in spite of theoretical difficulties
with forged IP addresses, and real difficulties with multi-site caches and
subscribers that that don't know their network number. 

IP authentication does not provide much help for off-campus users who will
not find it easy to configure their browser for the on-campus proxy
server.  We allow email delivery, but even that is a bit cumbersome.

Daniel Feenberg
National Bureau of Economic Research