[cap-talk] What's an authenticated authentication?

Matej Kosik kosik at fiit.stuba.sk
Fri Jul 24 10:21:20 EDT 2009 

Ludovic Courtès wrote:
> Hi,
> 
> Matej Kosik <kosik at fiit.stuba.sk> writes:
> 
>> Ludovic Courtès wrote:
> 
> [...]
> 
>>> Looking at the definitions of `authenticate' and `authentication' makes
>>> me wonder about the meaning of this API in English (from WordNet):
>>>
>>>   1. (1) authenticate -- (establish the authenticity of something)
>> This makes sense.
> 
> The definitions are from WordNet (these are English definitions, not
> taking into account CS usage, should it be different), so they surely
> make sense.  ;-)
> 
>>> So this method literally "establishes the authenticity of a mark that
>>> validates the authenticity of something"?
>> This sentence makes no sense to me.
> 
> I was playing devil's advocate by translating literally the method
> signature using the above definitions.
> 
>> Already the first sentence:
>>
>> "Broadly speaking, authentication is any procedure or test that
>> determines whether an object is trustworthy or genuine."
>>
>> is disputable. I would delete the word "trustworthy". Authentication
>> does not estabilish trustworthiness. That is a delusion.
> 
> Agreed.  I think Section 2.3 makes a lot of sense, though.

I am somewhat worried by the claim that "Authentication is an important
capability of secure computer systems.".

I would change "is an important capability" to "is useful in specific
cases".

Next sentence is

"A request received from an untrusted source such as a public
communications network must be authenticated as originating from an
agent that has the right to perform the action specified by the request."

This is not my viewpoint.

Next sentence:

"In a dynamically typed programming language such as Lisp or Snobol, a
value must be authenticated as being of the correct type for an operator
receiving it as an operand."

This is an abuse of the term "authentication".

Next sentence:

"The solution to the safe invocation example of Section 2.2 involves a
test for the authenticity of a putatively safe or trustworthy object
(Bart's program)."

Is authentication essential for safe program invocation? I do not think
so. Authentication can be done reliably but it is a self-deception to
assume that it somehow miraculously leads to safe invocation. Which in
W7 may be achieved, but the above sentence is not comprehensible to me.

More information about the cap-talk mailing list