[cap-talk] What's an authenticated authentication?

Matej Kosik kosik at fiit.stuba.sk
Fri Jul 24 07:28:08 EDT 2009 

Hi,

Ludovic Courtès wrote:
> Hello,
> 
> I thought this list would be a good place to get feedback about an API I
> stumbled upon:
> 
>   http://acegisecurity.org/acegi-security/apidocs/org/acegisecurity/AuthenticationManager.html
> 
>   Authentication authenticate(Authentication authentication)
>                             throws AuthenticationException
> 
>     Attempts to authenticate the passed Authentication object, returning
>     a fully populated Authentication object (including granted
>     authorities) if successful.
> 
> Looking at the definitions of `authenticate' and `authentication' makes
> me wonder about the meaning of this API in English (from WordNet):
> 
>   1. (1) authenticate -- (establish the authenticity of something)

This makes sense.

Consider installation of Debian package. If you download something from
some repository, the package is authenticated before it is installed.
The authentication process determines whether given package (given
object) was issued by given Debian community (some subject). This is
useful if your trust in the Debian community is relatively higher than
your trust to any random person.

Many other examples can be given.
(authentication of documents published by subjects)

> 
>   1. (7) authenticity, genuineness, legitimacy -- (undisputed credibility)

Sounds like the previous point.

> 
>   1. authentication, hallmark, assay-mark -- (a mark on an article of
>      trade to indicate its origin and authenticity)

This may be a special case of the previous points.

>   2. authentication, certification -- (validating the authenticity of
>      something or someone)

I think this is slighly confusing definition. While we can authenticate
something; I do not think that it makes sense to say that we can
authenticate someone. This confuses two things: authentication and
identification. These are separate concepts.

> 
> So this method literally "establishes the authenticity of a mark that
> validates the authenticity of something"?

This sentence makes no sense to me.

> 
> It's also pretty far from the definition of `authentication' in papers
> such as [0].
>
> Thoughts?

Already the first sentence:

"Broadly speaking, authentication is any procedure or test that
determines whether an object is trustworthy or genuine."

is disputable. I would delete the word "trustworthy". Authentication
does not estabilish trustworthiness. That is a delusion.
--
Matej Kosik

More information about the cap-talk mailing list