FYI
Best regards,
Samuele (for CDS Support)
--
CERN Document Server ** <http://cds.cern.ch/> ** <[email protected]>
--- Begin Message ---
Dear all,
I've been discussing this whole question with Jose, and I think we've
reached a consensus. We'd like to know what's your opinion on the
matter, and its feasibility in what concerns about Invenio.
So, I think we all agree HTTPS would be the best way to perform
authentication, like Jean-Yves suggested.
Then, for private record harvesting, we have several options:
- Creating a parallel request handler, like /oai.py/private;
- Passing and extra parameter to the OAI handler (i.e. &private=true);
- Placing the public and private events inside different sets, and
allowing harvesting of the private set only to HTTPS-authenticated
clients;
We believe that the second option disrupts the expected behavior of an
OAI-PMH service, and, between the first and the third one, the former
would be easier to implement (does not require changing the set
structure). Besides that, it will be transparent for the end-user: the
public gateway will work as it always did, and the private one will have
the same behavior, except for the initial phase of HTTPS authentication.
What's you opinion on this?
Cheers,
Pedro
On Wed, 2008-07-23 at 16:29 +0200, Jose Benito Gonzalez Lopez wrote:
> Dear all,
> > Dear all,
> > As discussed in the corridor with Jose, simplest way would be to harvest
> > all indico content, including cern-only and private data, but only
> > display a minimum format (a date or/and a title) for restricted events,
> > and point to Indico where the access control will be performed.
> > All other formats would be impossible on indicosearch to prevent
> > hacking.
> >
> Having a look to the code, it seems that we already have some indexes
> with all the private data.
> I have to check this out, but maybe we could split the harvesting in
> two. We leave the current OAI interface
> as it is (open to everyone) and then, we could create a specific
> parameter to indicate that you want to index
> the private content. So, from your side it would be as two harvesting
> request (one as it is and another one for private data).
> > Harvesting would be safer via https and only authorised to indicosearch
> > server.
> >
> if we go for the solution we to harvesting request, we could setup the
> second one (just private data) as HTTPS.
> > Restricted records would contain a tag with 'private' or 'cernonly'
> > information.
> >
> this will be provided in the our response.
>
>
> Anyhow, this is just a few considerations that I was think it about. We
> can discuss it deeply next week...
>
> Cheers!
> Jose
--- End Message ---
