...
2) There are some "start-up" or transition aspects to using this service. It may slow people down, or require them to get some additional information before they can get to web-based information on which they depend to do their work or studies, and which is time-senstive. What can we say to someone about the benefits of this new system, which helps to offset the unfamiliar way of going about old tasks? We would expect clients to ask the following questions. What answers might we give?
a) Does this mean certificates are going away, and I won't have to get them any more?
MIT X.509 Certificates are not going away in the forseeable future. They are used by many web sites on campus and even if all web sites decide to transition to MIT Touchstone it will likely take several years for all of the web sites to make such a transition given time and budget contraints.
b) What if I set this up on my office computer? Does it work for my home computer too? What about if I use a computer at an internet cafe?
By offering users a variety of mechanisms to authenticate when using MIT Touchstone, users will be able to use MIT Touchstone enabled web applications from a wide variety of locations, be it home, office, or even while using a computer located in an internet cafe or at an airport kiosk machine. However, the authentication preference which the user may select is specific to the machine and browser. This means that a user may set a preference to use Kerberos tickets on the office computer while having a preference to use certificates from the home computer. The only situations where the user's preference will persist across machines is when using the Athena computing environment or WIN.MIT.EDU.
c) So I have to remember another new password? Can I use the same password as I use for my (email or certificates or machine login or ...)? Sometime you people make me change my password. Do I have to keep changing it every six months? What are the rules for how long my password has to be and what characters I can use? Will you tell me beforehand, or wait until I generate one that's wrong, and then tell me what I need to know?
The only password that can be used with Touchstone is your Kerberos password. This is the same password that you use to access your MIT email using Webmail or native clients. The rules for managing your password are not affected by Touchstone in any way.
d) If I don't have to use certificates any more, why did you make me get a certificate that expires in 2026?
MIT Touchstone is in its early phase of deployment. You are likely to need certificates to authenticate to other web applications at MIT for the foreseeable future.
...