[cap-talk] Definition of Authentication on wiki.erights.org
Rob Meijer
capibara at xs4all.nl
Fri Sep 4 14:46:03 PDT 2009
On Fri, September 4, 2009 22:02, David-Sarah Hopwood wrote:
> Rob Meijer wrote:
>> The list has been quiet lately, unfortunately some interesting
>> discussions
>> seem to have died out prematurely. One of them is I feel an essential
>> one,
>> that of the definition of authentication.
>>
>> As I stated in the discussion earlier, I feel that the definition in
>> http://wiki.erights.org/wiki/Authentication (1) is overly complicating
>> to
>> explain, and quite possibly wrong.
>>
>> In any case I've been using an alternative definition in talks I've been
>> giving, that I stated earlier in the died off discussion.
>>
>> I have been thinking about a clearer wording for the definition I have
>> been using, and would like to suggest an alternative definition (2).
>>
>> 1) "Given one end of a communication channel, an authentication
>> procedure
>> establishes which principal is probably at the other end."
>>
>> 2) "Authentication is the validation of a specific property of an
>> object,
>> where this property must either be a source of authority, a source
>> of
>> accountability, or both."
>>
>> I personally feel that 1 is to far detached from every day usage of the
>> word, is to much centered around use by the identity based mechanisms,
>> and
>> is complicating something quite simple by doing so.
>
> Authentication absolutely is about identifying principals. In cases where
> you don't need that, you don't need authentication.
I think the examples Alan gave (and to a lesser extend the examples I
gave) show there are instances of authentication where identity of
principles does not play a role.
> When talking about more general cases of testing whether something is
> valid according to some criterion, it's much clearer to say "validation"
> (or "verification", or whatever).
>
> The point about (1) is that it says something non-obvious and useful about
> authentication, rather than just defining it circularly in terms of other
> words that mean approximately the same thing. It is supposed to provoke
> the
> reaction: "Aha! Now that I think about it, of course there is *always* a
> communication channel involved."
The point about 1 is that it takes an example (IBAC usage of
authentication of identity) and tries to abstract it into an in my opinion
unnatural definition by loosening the definition of channel and
artificially increasing the importance of identity.
>> Am I the only one who sees a problem with 1? And whatever the answer to
>> that, is 2 a good definition?
>
> Definition 2 is just far too vague for me. I don't understand what
> "a property [that is] a source of authority and/or accountability" is
> supposed to mean.
I think I agree that although a bit less than 1, 2 is also to much example
centric and the definition should as Alan suggested indeed be:
3) "Authentication is the validation of a specific property of an object
or subject."
Both 'a source of accountability' and 'a source of authority' are
qualifiers of groups of examples of what this property will often be in
information systems.
'identity' again is an even more narrow example of what this property may
be or convey.
Rob
More information about the cap-talk
mailing list