I added a recent changes list at http://gbv.github.com/paia/ to easier follow modifications to the PAIA specification.

P Williams wrote:

I'm very interested in this problem space.  Good to see that someone is
taking the initiative to try to solve the problem.  I guess I'll have to
learn some German :)

Ach, das ist nicht nötig :-)

You better correct my English by proofreading the current PAIA spec.

You mention VuFind ILS drivers.  You might also be interested in the
"connectors" from the XC NCIP toolkit [http://xcncip2toolkit.googlecode.com]
and LAI Connector from Equinox's FulfILLment [

Thanks, I started a page with related work, open for contributions:


I think OAuth is a good starting place when you talk about authentication.
This would address some of the issues of trust with applications that want
to access your library related information and how to securely grant access
to these client applications.  With an OAuth model the server (ILS) doesn't
have to know about the client application before the first request in order
to establish trust.  The trust is established by the user just in time.

With library systems username and password are usually barcode and pin.
The pin is usually a four digit number which is substantially easier to
break with brute force than a true password (alpha-numeric + case +
punctuation).  I think that unfortunately PAIA has the potential to make
this type of attack easier.  Any thought to hardening library systems
against brute force authentication attempts?

You are right, but library systems should not have allowed weak passwords in the first place. I added a section on secuity considerations:


I think the best way is to enable PAIA only for patron accounts with strong passwords.

> What did you mean by decoupling of authorization and access?

One reason to decouple authorization (PAIA auth) and access (PAIA core) was to be free to use different authorization methods in addition to username and password. You could also support access tokens bound to specific clients which can access multiple patron accounts or access tokens with read-only access to a patron account. With username/password one would only have all or nothing.

What are your major complaints with NCIP?

1. One of the most important bits of information ("circulation status") is not defined but free text.
2. NCIP is rarely implemented in total, so you never know what you get
3. Identifiers are not URIs.
4. I don't know of any library that allows open access to their NCIP interface by patrons and third-parties.

But I've seen worse library APIs than NCIP ;-)

I can see this being useful with authenticating for use of licensed
databases, to determine eligibility for ILL services, or to verify a valid
user for reciprocal borrowing in person within a consortia.  It might also
be useful for a service like Library Elf.

Interesting case. You could think of a database as a document which can be requested - so the patron sends a PAIA "requestItems" and the resulting document state is 3 ("held") or 4 ("provided") on success and 5 ("rejected") on failure.


Jakob Voß <jakob.v...@gbv.de>, skype: nichtich
Verbundzentrale des GBV (VZG) / Common Library Network
Platz der Goettinger Sieben 1, 37073 Göttingen, Germany
+49 (0)551 39-10242, http://www.gbv.de

Reply via email to