[cap-talk] Ambient authority, authentication and authorization

Jed Donnelley capability at webstart.com
Sat Jan 20 16:05:13 CST 2007 

At 04:01 PM 1/19/2007, Ka-Ping Yee wrote:
>On Fri, 19 Jan 2007, Jed Donnelley wrote:
>...
> > I notice that term "ambient authority" in the last sentence is
> > italicized to indicated that it's a technical term, but it doesn't
> > have a Wikipedia page.  I could take a first crack at that if that
> > seems reasonable.
>
>Yes please!  I was hoping to eventually have an article on that term.
>Go for it.

OK.  I started a page:

http://en.wikipedia.org/wiki/Ambient_Authority

As usual with such a start it's very rough and doesn't yet have 
references and such that may need to be added.

I think of this page as something along the lines of "know your 
enemy".  My bias shows through rather clearly.  Perhaps this is 
inappropriate and over time this page may be edited to reduce or 
remove that bias.

One thing that occurred to me when working on this page and looking 
at various access control references is the significance of the usual 
distinction between:

1.  Identification and authentication (I&A)
and
2.  Authorization

as discussed on:  http://en.wikipedia.org/wiki/Access_control

This distinction is so ground into people (especially students) these 
days that I've found it common (even on cap-talk) for competitive 
people to essentially probe for weaknesses in opponents during debate 
by trying to find flaws in their use of these terms and in their 
clear distinction between them.

And yet ... it seems to me that this very distinction is at the heart 
of the "ambient authority" model and much that I view as broken about 
the dominant implementations of access control.

I expect this approach arrives metaphorically from the approach of 
identifying people and then associating rights and privileges with 
the person based on their identity.  For people this model works 
reasonably well, but even for people it runs into 
problems.  Consider, for example, the situation of giving a parking 
lot attendant the key to your car to park it.  Somehow associating 
the permission to enter and drive your car with the identity of the 
parking lot attendant would seem awkward at best.  Giving the 
attendant the key to your car seems very natural and, well, object oriented.

Even in a situation like that with an ATM machine, a person's 
identity is really secondary to the access control mechanism.  With 
an ATM machine you enter an account specification from your ATM card 
(perhaps along with a choice of account) along with your pin number 
to authorize access to your account.  There is no separate 
authentication/identification followed by an authorization or even a 
lookup of authorization based on identity.  It's the account 
specification that's primary and the combination of something you 
have along with something you know that provides the authorization.

To be sure there is an identity associated with a bank account.  With 
your identity validated you can access and manage your account 
independent of your ATM card and pin.  However, at least the primary 
access through the ATM seems to me really more like capability access 
than it does the combination of an authentication step followed by an 
authorization lookup.

Oh well, just sharing some thoughts.  Please take a look at the 
Ambient Authority page and be bold!  Feel free to whack away, add 
references, clarify, etc., etc.  Certainly at an early stage like 
that with this page there's little to no penalty for error.

Thanks!

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list