A Public Key Infrastructure (PKI) approach to climate data delivery

At the 2000 IIPS conference, we introduced the results of our investigations regarding the use of Public Key Infrastructure (PKI) concepts at a climate research data Web site. That discussion presented our prototypes which used digital certificates to determine the identity and privileges afforded users of the NOAA-CIRES Climate Diagnostics Center (CDC) Web site. This year we move beyond the prototyping phase to present the lessons learned during our design and implementation of a functional PKI-based intranet, extranet and selective data delivery service.

CDC makes use of Web interfaces to distribute information which falls into three general categories:

• Personnel and systems information and some climate data sets restricted to local use,
• Test applications, research results, and climate data sets available to internal users and some approved outside users and collaborators, and
• A large collection of climate data which is freely available to all interested users.

Much of our Web content, therefore, is made available based on user identity. A public key approach allows us to electronically authenticate a user in much the same way that a driver's license allows physical verification of the identity of a particular individual. A means of electronic verification becomes more important as, increasingly, an "internal" user is often not physically present when using our local computing systems and accessing our Web site. "Internal" users may be telecommuting (and using a different Internet Service Provider than their parent organization for access), conducting research at field sites, or conference attendees who need to remotely access data, research results, or home office information.

The ability to identify an "extranet" user is also important, since some of our data sets can only be distributed to individuals who have contacted the original data source and obtained permission to use the restricted data. Thus, we need a means of verifying the permission status from the data source, as well as a means of identifying the approved user. Both of these objectives may be met using digital certificates. In the first case, we can verify that any communication regarding user permission is indeed from the person representing the data source, and that the integrity of the communication hasn't been compromised during transit. In the second case, we can verify that the user requesting the data is the same user approved to use the data.

The proposed discussion will review the design and implementation strategies we used to incorporate PKI-based authentication into our current Web site architecture. These concepts should be of interest to other sites interested in the implementation of intranet and extranet Web site functions.