Mike Teets of OCLC and I teamed up to write an article on Metasearch Authentication and Access Management for this month's D-Lib Magazine. The first part of the article is a bit of a primer on access management techniques followed by a survey and analysis of access management schemes in use last year. The key part, I think, is the "Recommendations" (access restrictions by IP address plus authenticated proxy servers is the best one can hope for right now) and "Next Steps" (Shibboleth is superior to other access control mechanisms beyond IP/proxy that one might consider, but there is lots of work to be done).
The last paragraph of the article sets out the questions:
In the space between "good enough" (the status quo) and "ideal" (Shibboleth federations) lie many questions for our community. For libraries there are questions like "Are IP address access management and proxy servers sufficient to meet your current and future needs?" and "How much more are you willing to spend on an implementation of a Shibboleth environment?" For content providers: "Are you satisfied with IP address access management and proxy servers for protecting your intellectual property?" and "Can you implement Shibboleth as a common access management system for interaction with metasearch engines (and possibly end-user access)?" And for metasearch service providers: "What kinds of requirements are you willing satisfy?" and "What are you willing to charge?" The NISO Metasearch Initiative Task Group on Access Management encourages the broad community to discuss these questions. NISO is committed to working with the Shibboleth developers to develop practical solutions to the issues raised.
So there are the questions, as best Mike and I can describe. What do you think?