The project will be rolled out in stages, starting with a reltively conservative scheme, and progressing to more elaborate methods.
The initial content set will include a web based component and a web video based component. It is proposed that we will use a set of UC Berkeley class lectures as the web video based section.
IP based authentication allows web servers to determine whether a particular request for a web page is to be honored based on the IP address of the machine on which the browser requesting the page is running. This method is inherently insecure, but has the advantages of being trivial to implement in most web servers, and providing a (low) level of security appropriate for some services.
For access by UC Berkeley community members, the Berkeley Macintosh software server (cobweb) page maintains a list of network numbers that can be used to configure a web server to only allow browser requests using the IP addresses of Berkeley campus hosts.
IP addresses were never intended to be used as a way of determining access rights, and there are a number of legitimate situations in which IP based authentication will fail. One such situation which is becoming increasingly common is the use of web based proxy services. Proxies can be used to modify web pages on the fly in a number of interesting ways. These proxy services have the side-effect of circumventing IP based authentication schemes -- the IP address of the http request appears to the web server to be that of the proxy server. Any pages that can be accessed by the proxy server can be retrieved by a client with access to the proxy, whether or not the client has direct access to those pages.
The Berkeley TranSend proxy server is a good example of this type of server. Whilst it is possible to exclude the TranSend server from any pages that are restricted to Berkeley, this also restricts legitimate Berkeley users from accessing those pages via the TranSend server. It also does not protect those pages from any similar such servers that may be set up in the future.
An additional problem with this method of authentication is that the list of networks that are considered to be part of the Berkeley campus changes quite frequently. The host access files that determine access rights must be manually updated on every web server that performs authentication, which clearly becomes a very significant administrative overhead as the number of services using authentication increases.