[cap-talk] Ambient authority, authentication and authorization

Jed Donnelley capability at webstart.com
Sat Jan 20 20:09:20 CST 2007 

At 04:01 PM 1/20/2007, David Hopwood wrote:
>Jed Donnelley wrote:
> > One thing that occurred to me when working on this page and looking
> > at various access control references is the significance of the usual
> > distinction between:
> >
> > 1.  Identification and authentication (I&A)
> > and
> > 2.  Authorization
> >
> > as discussed on:  http://en.wikipedia.org/wiki/Access_control
> >
> > This distinction is so ground into people (especially students) these
> > days that I've found it common (even on cap-talk) for competitive
> > people to essentially probe for weaknesses in opponents during debate
> > by trying to find flaws in their use of these terms and in their
> > clear distinction between them.
> >
> > And yet ... it seems to me that this very distinction is at the heart
> > of the "ambient authority" model and much that I view as broken about
> > the dominant implementations of access control.
>
>I don't find that insisting on a distinction between these concepts,
>equates to saying that access control should be based on testing identity.

What it comes down to for me is that once you have an identity
established (the authentication step), then what are you going
to do with that identity information?  Where are you going to
put it so that you can check for authorization?  You certainly
can't put it into a capability list.  The only possibility
is putting it into something like an access control list.

As we've noted again and again, capabilities bind the
specification and authorization.  However, isn't that
"authorization" really including any notion of
authentication at the same time?

Certainly in a case like simple "password" capabilities
as data one can see that any notion of authentication
is bound into the single capability.  What about typical
"c-list" descriptor system along the lines of DVH?
Where is the authentication there?  I don't see
"authentication" in any part of the access control
paradigm.

It's true that even with capability based system there
seems to be a need for some sort of "bundled" authorization,
at least at the beginning of a "login" session.  How
does this differ from just a single capability to
something like a directory of other capabilities?
Even there one can consider the specification and
"authentication" to be the access to a single bundled
capability.

Oh well, I don't want to push this at this time, but
I thought I'd share my thoughts while they were fresh in
mind looking at those Wikipedia pages.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list