Presentations about Touchstone were made to the Help Staff meeting on September 25th, 2007 and the student employees that evening. This document captures some of the follow-up questions and dialog.
1) How will a someone first encounter Touchstone? What steps will they take that causes them to notice something new or different? What will they notice?
During the pilot, a service's particular error or alternate login page will have an additional button called "Try authenticating via Touchstone". So for example, if you try to log in to Stellar and your certificate does not work or you do not have one, you currently get the page below.
When the Touchstone pilot goes live, there will be an additional section underneath the current MIT Community Users section on the page below. I pulled an example screenshot from the stellar-dev.mit.edu web site. (See second attachment.) I'll try to put this in the wiki later today.
During the initial phase of the pilot the pilot applications will always require an explicit customer action to "try Touchstone" if login fails by default. It should never re-direct there automatically, unless the user has at least once chosen to use Touchstone and set explicit preferences for their use of Touchstone.
Here is a screen shot of what a user of Stellar will see if a certificate is not presented to Stellar when logging in:
2) There are some "start-up" or transition aspects to using this service. It may slow people down, or require them to get some additional information before they can get to web-based information on which they depend to do their work or studies, and which is time-senstive. What can we say to someone about the benefits of this new system, which helps to offset the unfamiliar way of going about old tasks? We would expect clients to ask the following questions. What answers might we give?
a) Does this mean certificates are going away, and I won't have to get them any more?MIT X.509 Certificates are not going away in the forseeable future. They are used by many web sites on campus and even if all web sites decide to transition to MIT Touchstone it will likely take several years for all of the web sites to make such a transition given time and budget contraints.
b) What if I set this up on my office computer? Does it work for my home computer too? What about if I use a computer at an internet cafe?By offering users a variety of mechanisms to authenticate when using MIT Touchstone, users will be able to use MIT Touchstone enabled web applications from a wide variety of locations, be it home, office, or even while using a computer located in an internet cafe or at an airport kiosk machine. However, the authentication preference which the user may select is specific to the machine and browser. This means that a user may set a preference to use Kerberos tickets on the office computer while having a preference to use certificates from the home computer. The only situations where the user's preference will persist across machines is when using the Athena computing environment or WIN.MIT.EDU.
c) So I have to remember another new password? Can I use the same password as I use for my (email or certificates or machine login or ...)? Sometime you people make me change my password. Do I have to keep changing it every six months? What are the rules for how long my password has to be and what characters I can use? Will you tell me beforehand, or wait until I generate one that's wrong, and then tell me what I need to know?The only password that can be used with Touchstone is your Kerberos password. This is the same password that you use to access your MIT email using Webmail or native clients. The rules for managing your password are not affected by Touchstone in any way.
d) If I don't have to use certificates any more, why did you make me get a certificate that expires in 2026?MIT Touchstone is in its early phase of deployment. You are likely to need certificates to authenticate to other web applications at MIT for the foreseeable future.
3) The product presents a set of choices for a person to make before they can go forward, but it doesn't give them criteria for making the choices. For example, they are faced with deciding between
a) user ID and password
b) Kerberos tickets
c) certificates
Many individuals don't know which of these items they have active, or correctly installed, or named as indicated above. Kerberos tickets are dependent on user ID and password at MIT, so what's the difference between those choices? People don't routinely check to see if they certificates or tickets at the start of a work session; they pay attention when a path to a web page is blocked, or if they have to type an ID and password to get access.
Similarly, why/how to choose between the "Authentication Options" (https://idp.mit.edu/auth-options) radio buttons? What about putting a link called "How to choose between these options" to documentation or some background information at the top of this same page?