[cap-talk] What we have here is a failure to communicate

Jed Donnelley capability at webstart.com
Wed Dec 31 02:15:40 EST 2008 

At 02:16 PM 12/29/2008, Rob Meijer wrote:
>On Sun, December 28, 2008 06:46, Karp, Alan H wrote:
>...We should actually try to make clear that authentication IS a 
>broader concept,
>and that authenticating, for example your SAML assertions, is just as much
>an act of authentication as authentication of subject identity.

Hmmm.  If there is an intent to use the term "authentication" for more than
"subject authentication" then I'm afraid I don't know what that additional
meaning is.  I thought AlanK's SAML assertions were "authorization based
access control".  That is, they are explicitly 'authentication free'.
Is there anything in the SAML assertions that demand a specific subject -
beyond of course the possession of a capability-like token?  I admit to
little understanding of the SAML assertions, but if they can be used as
an example of authentication that isn't "subject authentication" then I
would like to better understand that mechanism and meaning.

At 09:07 PM 12/29/2008, Karp, Alan H wrote:
>Rob Meijer wrote:
> >
> > I feel it is important to not fall into the identity bias trap by
> > limiting discussion of authentication to the authentication of 
> subject identity.
> > We should actualy try to make clear that authentication IS a broader
> > concept, and that authenticating for example your SAML assertions 
> is just as
> > much an act of authentication as authentication of subject identity.
>
>I agree, but I think we need to be explicit.  When I use the term 
>"subject authentication", I am making it clear what aspect of 
>authentication I mean.  It's why we use the term "object 
>capabilities" (a term first used only recently), to make it clear 
>that we're not talking about special hardware registers or some 
>other form of capabilities.

It would help me to have some examples of other 'aspects' of 
authentication besides "subject authentication".  Are you (both) 
referring to the general definition of "authentic"?

For example, would the checking of a capability token for validity be 
considered an act of "authentication"?  For me such an act still 
falls more into the 'subject' authentication category.  It's the act 
of verifying that the subject had a genuine capability.

I wonder if it might help to consider something like "two factor" 
authentication to clarify the use of the "authentication" term.  An 
old saw about some forms of two factor authentication is "Something 
you have and something you know".  That is, authentication requires 
both the possession of a valid token AND knowledge of some sort of 
information (e.g. like a password).  The end goal, however, is to 
validate the acting subject.  Not necessarily the subject's identity 
(as Alan notes) - any subject with both the token and the information 
will do - but still to provide assurance that the subject is 
"authentic", not some ersatz pretender.

What seems to me a pretty clearly non-subject form of authentication 
would be something like authenticating an antiquity.  There would 
seem to be no "subject" in such a case?  Even in a case like that, 
however, isn't the authentication saying something about the creator 
of the antiquity?  That seems to me to come pretty close to a 
"subject" validation.  The creator is where the antiquity came from - 
the "from" address.

I'm just trying out some examples to see if I can get a better 
understanding of the non-subject forms of authentication in the 
information technology context.  As you can see I'm struggling, so 
some clearer examples and interpretation would be helpful.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list