[cap-talk] Definition of Authentication on wiki.erights.org

[Rob Meijer]

On Sat, September 5, 2009 13:04, Matej Kosik wrote:
> Karp, Alan H wrote:
>>> Another example: You have a piece of software. We already know how to
>>> follow POLA and POLA may be enforced over that software which is good
>>> but it is always interesting (if a given software does not work as
>>> expected) to determine its genuinity. You can blame vendor only for
>>> genuine software not for fakes.
>>>
>> An example of authentication that doesn't involve identity.  For
>> example, if someone you trust gives you the hash code of the software,
>> you can authenticate it without knowing who wrote it.
>
> I think identity is still present. My authentication process determines
> whether hashes were issued by subject(s) I trust.

There may be identity involved, but if you use a hash (from any trusted
source) to authenticate a piece of software with a trusted hash, you are
validating a property of the software (its integrity), not trying to find
out which of your friends might have signed it.

This example clearly shows that I with my definition 2 have fallen into
the same trap as you with definition 1, that is the trap of using a to
narrow definition derived from to small a set of examples.

It seems that 'identity', 'source of authority' and 'source of
accountability' all are just examples of what the property (of object or
subject) can be, even in the infosec setting. that authentication
validates.

Looking at it like this, your definition reads like:

  Authentication is the authentication of the identity of a principle.

While mine reads like:

  Authentication is the authentication of a source of accountability or of
  a source of authority.

Alans examples have shown us both to be blindsided by the to limited set
of our examples.

Rob