[cap-talk] Definition of Authentication on wiki.erights.org

David-Sarah Hopwood david-sarah at jacaranda.org
Mon Sep 7 18:49:56 PDT 2009 

Karp, Alan H wrote:
> David-Sarah Hopwood wrote:
>> No, it shows that "authentication" is used with at least two distinct
>> meanings. But do we want to use the word "authentication" for two different
>> things, when we have other words (such as "verification") that are clearer
>> and more applicable to one of them? Note that it is the technical jargon
>> meaning of "authentication" in computer science that we are attempting to
>> define, *not* the everyday meaning (or the meaning in some other field
>> such as the study of antiquities).
>
> I ran into a problem when describing ZBAC to people in the
> US Department of Defense.  It took a couple of years for me to realize that
> they were using the word "authentication" in its broader sense.  Given that
> this is a large community with widespread influence, I chose to change
> rather than try to change their usage.  I now use "subject authentication"
> when I describe ZBAC, and I haven't experienced the disconnect since.
> 
> Just so you know the problem isn't just one of the military, I ran into the
> same problem at SOUPS.  Lorrie Cranor and MarcS were talking past each other
> about authentication versus authorization.  It turns out she was talking
> about authenticating

[i.e. validating]

> the authorization.  Here, too, being careful to use the term
> "subject authentication" helped.

I'd be quite happy to use a term that would be less ambiguous to others.

However, "subject authentication" is not quite right for the concept I'd
like to define, because the principal that is being authenticated isn't
necessarily a subject.

subject:   an active entity that makes requests in an access control system.

principal: an entity that can be authenticated; that is, that holds
           credentials (also called authentication factors) allowing it
           to be distinguished from other principals that do not hold those
           credentials.

For instance, if I want to authenticate the author of a document, the author
is by definition a principal, but there isn't necessarily any access control
system in which the author is acting as a subject (or if there is, I don't
have any reason to care, absent other constraints on the problem).

"Principal authentication" seems a little verbose, though.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the cap-talk mailing list