[cap-talk] Ambient authority, authentication and authorization
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Sat Jan 20 18:01:32 CST 2007
Jed Donnelley wrote:
> One thing that occurred to me when working on this page and looking
> at various access control references is the significance of the usual
> distinction between:
>
> 1. Identification and authentication (I&A)
> and
> 2. Authorization
>
> as discussed on: http://en.wikipedia.org/wiki/Access_control
>
> This distinction is so ground into people (especially students) these
> days that I've found it common (even on cap-talk) for competitive
> people to essentially probe for weaknesses in opponents during debate
> by trying to find flaws in their use of these terms and in their
> clear distinction between them.
>
> And yet ... it seems to me that this very distinction is at the heart
> of the "ambient authority" model and much that I view as broken about
> the dominant implementations of access control.
I don't find that insisting on a distinction between these concepts,
equates to saying that access control should be based on testing identity.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list