[cap-talk] Definition of Authentication on wiki.erights.org

Matej Kosik kosik at fiit.stuba.sk
Sat Sep 5 15:35:21 EDT 2009 

Rob Meijer wrote:
> On Sat, September 5, 2009 13:04, Matej Kosik wrote:
>> Karp, Alan H wrote:
>>>> Another example: You have a piece of software. We already know how to
>>>> follow POLA and POLA may be enforced over that software which is good
>>>> but it is always interesting (if a given software does not work as
>>>> expected) to determine its genuinity. You can blame vendor only for
>>>> genuine software not for fakes.
>>>>
>>> An example of authentication that doesn't involve identity.  For
>>> example, if someone you trust gives you the hash code of the software,
>>> you can authenticate it without knowing who wrote it.
>> I think identity is still present. My authentication process determines
>> whether hashes were issued by subject(s) I trust.
> 
> There may be identity involved, but if you use a hash (from any trusted
> source) to authenticate a piece of software with a trusted hash, you are
> validating a property of the software (its integrity), not trying to find
> out which of your friends might have signed it.

I disagree. When I download some package via apt-get, given package is
digitally signed. During authentication procedure I check whether that
given package was released by Debian developers. In other words, I check
who is at the other end of the communication channel through which I
downloaded that package.

Do not confuse this with checking of integrity. This is not what happens
here. Debian developers could distribute a modified version of the
software. In order to check itegrity, I would have to have those hashes
in advance which I do not have. I therefore rely on downloading software
from trusted source. Authentication does not reveal any other fancy
thing but whether at the other end of the communication channel are, in
my case, Debian developers.

So this example of authentication fits definition 1.

Are there examples covered by definition 1 which should not be covered?
Are there examples not covered by definition 1 which should be covered?

<snip>

Sincerely
-- 
Matej Kosik

More information about the cap-talk mailing list