[cap-talk] Ambient authority, authentication and authorization
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Sun Jan 21 10:44:03 CST 2007
Jed Donnelley wrote:
> At 08:10 PM 1/20/2007, David Hopwood wrote:
>>Jed Donnelley wrote:
>>[...]
>>
>>>It's true that even with capability based system there
>>>seems to be a need for some sort of "bundled" authorization,
>>>at least at the beginning of a "login" session. How
>>>does this differ from just a single capability to
>>>something like a directory of other capabilities?
>>
>>It doesn't. But if identification is only used once per login, whereas
>>authorization is involved every time a capability is invoked, doesn't that
>>support the point that they should be distinguished?
>
> The common understanding of the authentication/authorization
> distinction is that authentication is done once to establish
> identity, but then the established identity is used again
> and again for authorization. Authorizations are expressed
> in terms of the established identity. That's where I belive
> the problem lies.
>
> You see it throughout the discussion, e.g. on:
>
> http://en.wikipedia.org/wiki/Access_control
I've made an attempt to fix that; see what you think.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list