[cap-talk] What's an authenticated authentication?

Matej Kosik kosik at fiit.stuba.sk
Thu Jul 30 02:26:21 EDT 2009 

Matej Kosik wrote:
> Rob Meijer wrote:
>> On Wed, July 29, 2009 10:23, Matej Kosik wrote:
>>> Rob Meijer wrote:
>>>> While it may be correct, it took me a few times to catch the reasoning
>>>> behind it. I feel taking this track in definition might be seeding some
>>>> unneeded confusion.
>>> What kind of confusion? Isn't the definition both:
>>> - correct
>>> - and concise?
>>>
>>> Can you give some examples of authentication that the presented
>>> definition does not fit?
>>>
>>> Can you give some examples which will indicate that the definition is
>>> confusing? (for us)
>> Not within OC or AAA context no.
>>
>>> It may be confusing for others, but is not always avoidable and we
>>> should not trade our confusion for non-confusion of others. What can we
>>> do is to explain our viewpoint and this can be succesfully done.
>> I feel it may be unneeded confusing in that it defines an essentially
>> different angle for 'our' relevant subset of the normal 'validation of
>> authenticity'. A valid angle, but I feel that defining our (the OC or AAA
>> subset) exactly as a subset may be a bit less confusing to others while
>> being just as useful for us.
> 
> I cannot think of an example where the currently stated definition:
> http://wiki.erights.org/wiki/Authentication
> would not cover well things that should be regarded as authentication.
> 
> The definition you proposed seems to me more confusing because it does
> not directly define authorization.

Sorry, I meant authentication here.

> It names several (useful) things that
> can be done if we are able to perform authentication. However, unless we
> know what authentication is, your points are a bit confusing.
> 
> Your note about relationship between authentication and accountability
> is useful and I have added it as a note; below the definition.
> 
> There are other things how can the page be improved:
> http://wiki.erights.org/wiki/Talk:Authentication
> 
>>>> I would suggest staying closer to regular interpretation of authenticity
>>>> and authentication.
>>>>
>>>> When explaining different access control models including capabilities,
>>>> I
>>>> first explain about authority and sources of authority, than about
>>>> accountability. After that explaining about authentication leads to a
>>>> definition.
>>>>
>>>> The following is the definition I have been actively using in training
>>>> material:
>>>>
>>>>   Authentication (in an AAA context) is the process of validating the
>>>>   authenticity of either:
>>>>
>>>>   * a source of authority.
>>> I do not understand this point. Can you give examples where authenticity
>>> is a source of authority? I do not aggree with this in general.
>>>
>> That is not what I am saying. I am saying that what authorization
>> validates is 'the authenticity of a source of authority' and/or 'the
>> authenticity of a target of accountability'.
>>
>> An example of a source of authority could be an identity, but also for
>> example I believe a SAML assertion that is used as a capability.
>>
>> Rob
> 


-- 
Matej Kosik

More information about the cap-talk mailing list