[cap-talk] What's an authenticated authentication?
Matej Kosik
kosik at fiit.stuba.sk
Fri Jul 24 13:06:50 EDT 2009
Karp, Alan H wrote:
> The various uses of the word "authenticate" led to a serious disconnect in an ongoing discussion we've been having with DISA, the IT organization for the US Department of Defense. I didn't really understand what the confusion was all about until a discussion with Lorrie Cranor at our SOUPS poster presentation. She kept talking about using authentication to make an access decision, and we kept asking who she was authenticating. After a couple of rounds of that, I realized that she was saying you must authenticate the authorization to make sure it is legitimate. (We use the word "validate" to avoid just that point of confusion.)
>
> I have now started to use the phrase "subject authentication" to mean verifying that the subject has some property, such as identity, role, or attributes. That's avoided the confusion, at least so far.
Those who have time, please review this definition:
http://wiki.erights.org/wiki/Authentication
More information about the cap-talk
mailing list