[cap-talk] What's an authenticated authentication?
Ludovic Courtès
ludo at gnu.org
Fri Jul 24 08:50:22 EDT 2009
Hello,
Toby Murray <toby.murray at comlab.ox.ac.uk>
writes:
> Consider a password in the context of a particular user account.
>
> The password is an "authenticator". It proves that whoever submits the
> password is "authentic", i.e. is the user that the account belongs to.
> [*]
>
> However, the authenticator must be authenticated -- the given password
> must be checked against the stored password (or a salted one-way
> transformation of it etc.) for the user account.
>
> So authenticating an autheticator may not be as bogus as it sounds at first.
That's true. But similarly to the passport example, it's just a special
case.
> In the context of your [0] (Jonathan Rees' "A security kernel based on
> the lambda calculus"), the author himself has says
>
> "I think I used the term "authentication" incorrectly in this paper."
>
> (see http://mumble.net/~jar/pubs/secureos/).
Hmm, I don't know what made him say so.
Thanks,
Ludo'.
More information about the cap-talk
mailing list