[cap-talk] Ambient authority, authentication and authorization

[David Hopwood]

Jed Donnelley wrote:
> At 04:01 PM 1/20/2007, David Hopwood wrote:
>>Jed Donnelley wrote:
>>
>>>One thing that occurred to me when working on this page and looking
>>>at various access control references is the significance of the usual
>>>distinction between:
>>>
>>>1.  Identification and authentication (I&A)
>>>and
>>>2.  Authorization
>>>
>>>as discussed on:  http://en.wikipedia.org/wiki/Access_control
>>>
>>>This distinction is so ground into people (especially students) these
>>>days that I've found it common (even on cap-talk) for competitive
>>>people to essentially probe for weaknesses in opponents during debate
>>>by trying to find flaws in their use of these terms and in their
>>>clear distinction between them.
>>>
>>>And yet ... it seems to me that this very distinction is at the heart
>>>of the "ambient authority" model and much that I view as broken about
>>>the dominant implementations of access control.
>>
>>I don't find that insisting on a distinction between these concepts,
>>equates to saying that access control should be based on testing identity.
> 
> What it comes down to for me is that once you have an identity
> established (the authentication step), then what are you going
> to do with that identity information?

Use it to give the shell access to a logged-in user's home directory, for
example.

[...]
> It's true that even with capability based system there
> seems to be a need for some sort of "bundled" authorization,
> at least at the beginning of a "login" session.  How
> does this differ from just a single capability to
> something like a directory of other capabilities?

It doesn't. But if identification is only used once per login, whereas
authorization is involved every time a capability is invoked, doesn't that
support the point that they should be distinguished?

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>