[cap-talk] Architectural Choices: How to migrate from IBAC to ABAC

Jed Donnelley jed at nersc.gov
Thu Nov 15 16:12:06 EST 2007

On 11/15/2007 11:01 AM, Karp, Alan H wrote:
> Jed wrote:
> Verifying that the capability is authentic does not involve
> authenticating the requester.

Right.  It "authenticates" the capability, nothing to
do with the requester.  Is the term "authentication"
so intrinsically tied up in the IT terminology with
authenticating an identity (user) that people know
to apply it in no other context?  Regarding:

>> I know that's what I hear from many computer security
>> people for whom the authentication/authorization
>> steps are a mantra.  I personally don't want to fight
>> that thinking.

The people I've spoken to where the confusion arose
were thinking of "authentication" as a general term
such as verifying that a certificate is 'authentic'
or that a user identification is 'authentic', etc.
After 'authentication' comes authorization, regardless
of whether what was authenticated is a certificate or a
capability or an identity.  For such people (perhaps
there are few of them that I just happened to run
into?) there is an 'authentication' step and an
'authorization' step in granting any permission
(authority).  With such thinking, referring to a
type of access control as "Authorization Based"
seems to be meaningless.

In this paragraph below, you seem to be limiting
the term "authentication" to the authentication
of a user/id:

> I agree.  I avoid the problem by separating authentication from
> authorization instead of eliminating authentication.  As I say in my
> presentations, "Alice authenticates to her domain and gets her set of
> authorizations.  She presents the correct one with her requests, but the
> service provider only needs to verify the authenticity of the
> certificate, not Alice's authentication."

I understand what you are saying.  However, can you see how
in that last sentence where you say "...verify the authenticity
of the certificate, not Alice's authentication." you are
distinguishing between two sorts of authentication verification:

1.  The type that you seem to suggest is a real "authentication"
(when you refer to Alice's authentication) and

2.  The verification of the authenticity of the certificate -
which for you seems not to be considered an 'authentication'?

Can you see how this might be a source of confusion for
people who think of all access control decisions as
involving an authentication and an authorization step?

When you then try to distinguish access control mechanisms
by separating them into "Identity Based" and "Authorization
Based" types - well, Identity Based is fine, but what
does "Authorization Based" access control mean if all
access control involves an authorization step?

I'm going to leave in the following paragraph to try
to make sense of what follows:

>>                 I'd rather just deflect it a bit
>> by moving it away from Identity authentication followed
>> by Identity Based Access Control (authorization decisions
>> based on the authenticated identity - whether using
>> policies based on Roles or on Context or ...) to what
>> amounts to Object (reference) authentication followed
>> by Object Based Access Control - with all the
>> corresponding values that are so near and dear to
>> us on cap-talk.
> Ocaps is a harder sell than the more general concept of capabilities.
> Explicit authorizations are more general than capabilities.  I have been
> trying to use those differences to find the smallest change needed to
> move people from IBAC (and the others) to ABAC.

I wonder if it might be helpful to have a taxonomy of
the various types of capability-like mechanisms with
examples of each?  E.g. some capabilities that aren't
object/capabilities and some of what you refer to as
"explicit authorization"s that aren't capabilities
(you gave an example above)?

>> I'm trying to bend our terminology so that it will
>> make sense to general computer security people who
>> aren't steeped in capability phraseology.
> That's exactly what I do when I describe Alice submitting the
> authorization certificate directly to the service instead of indirectly
> via the PDP/PEP.

OK.  If I'm not getting any traction with the issue
I'm focusing on with others, I'll just leave it -
assuming that the "authentication" step is only considered
with user/id authentication and that "Authorization
Based" access control has meaning in that the
authorization is separated from at least the
user/id authentication.  Seems fuzzy to me, but
if it makes sense to others I've got no complaints.


More information about the cap-talk mailing list