[cap-talk] What's an authenticated authentication?
Karp, Alan H
alan.karp at hp.com
Fri Jul 24 12:13:14 EDT 2009
The various uses of the word "authenticate" led to a serious disconnect in an ongoing discussion we've been having with DISA, the IT organization for the US Department of Defense. I didn't really understand what the confusion was all about until a discussion with Lorrie Cranor at our SOUPS poster presentation. She kept talking about using authentication to make an access decision, and we kept asking who she was authenticating. After a couple of rounds of that, I realized that she was saying you must authenticate the authorization to make sure it is legitimate. (We use the word "validate" to avoid just that point of confusion.)
I have now started to use the phrase "subject authentication" to mean verifying that the subject has some property, such as identity, role, or attributes. That's avoided the confusion, at least so far.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list