[cap-talk] (no subject)
Karp, Alan H
alan.karp at hp.com
Fri Sep 4 12:18:00 EDT 2009
Rob Meijer wrote:
> 1) "Given one end of a communication channel, an authentication procedure
> establishes which principal is probably at the other end."
>
> 2) "Authentication is the validation of a specific property of an object,
> where this property must either be a source of authority, a source of
> accountability, or both."
>
A definition should be succinct, yet complete. It is useful to illustrate the definition with examples, but examples should not be a part of the definition. I believe #1 is more an example of how authentication can be use than it is a definition. I think #2 is a good definition if you stopped after the first line, and said "object or subject."
I don't think it's necessary to bring in authority or accountability, but those are good examples of what we often look for when we authenticate. An example where neither comes into play is authenticating a fossil. In that case, we are making sure the object is as old (has the property of age) as we are told it has.
We authenticate many things. We may want to authenticate the citizenship of a subject before granting an authority. We may want to authenticate the provenance of a document before trusting its contents. Some people use the word "authenticate" for the process of checking the validity of an authorization. We authenticate identities, even if they won't be used to make access decisions in an IBAC system. In my ZBAC discussions I have started using the phrase "subject authentication" to avoid just this confusion. #2 fits this use with the change I proposed above.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list