[cap-talk] What's an authenticated authentication?
Matej Kosik
kosik at fiit.stuba.sk
Thu Jul 30 02:21:52 EDT 2009
Rob Meijer wrote:
> On Wed, July 29, 2009 10:23, Matej Kosik wrote:
>> Rob Meijer wrote:
>>> While it may be correct, it took me a few times to catch the reasoning
>>> behind it. I feel taking this track in definition might be seeding some
>>> unneeded confusion.
>> What kind of confusion? Isn't the definition both:
>> - correct
>> - and concise?
>>
>> Can you give some examples of authentication that the presented
>> definition does not fit?
>>
>> Can you give some examples which will indicate that the definition is
>> confusing? (for us)
>
> Not within OC or AAA context no.
>
>> It may be confusing for others, but is not always avoidable and we
>> should not trade our confusion for non-confusion of others. What can we
>> do is to explain our viewpoint and this can be succesfully done.
>
> I feel it may be unneeded confusing in that it defines an essentially
> different angle for 'our' relevant subset of the normal 'validation of
> authenticity'. A valid angle, but I feel that defining our (the OC or AAA
> subset) exactly as a subset may be a bit less confusing to others while
> being just as useful for us.
I cannot think of an example where the currently stated definition:
http://wiki.erights.org/wiki/Authentication
would not cover well things that should be regarded as authentication.
The definition you proposed seems to me more confusing because it does
not directly define authorization. It names several (useful) things that
can be done if we are able to perform authentication. However, unless we
know what authentication is, your points are a bit confusing.
Your note about relationship between authentication and accountability
is useful and I have added it as a note; below the definition.
There are other things how can the page be improved:
http://wiki.erights.org/wiki/Talk:Authentication
>
>>> I would suggest staying closer to regular interpretation of authenticity
>>> and authentication.
>>>
>>> When explaining different access control models including capabilities,
>>> I
>>> first explain about authority and sources of authority, than about
>>> accountability. After that explaining about authentication leads to a
>>> definition.
>>>
>>> The following is the definition I have been actively using in training
>>> material:
>>>
>>> Authentication (in an AAA context) is the process of validating the
>>> authenticity of either:
>>>
>>> * a source of authority.
>> I do not understand this point. Can you give examples where authenticity
>> is a source of authority? I do not aggree with this in general.
>>
>
> That is not what I am saying. I am saying that what authorization
> validates is 'the authenticity of a source of authority' and/or 'the
> authenticity of a target of accountability'.
>
> An example of a source of authority could be an identity, but also for
> example I believe a SAML assertion that is used as a capability.
>
> Rob
--
Matej Kosik
More information about the cap-talk
mailing list