[cap-talk] Definition of Authentication on wiki.erights.org

Mon Sep 7 19:05:47 PDT 2009

David-Sarah Hopwood wrote:
> 
> subject:   an active entity that makes requests in an access control
> system.
> 
> principal: an entity that can be authenticated; that is, that holds
>            credentials (also called authentication factors) allowing it
>            to be distinguished from other principals that do not hold those
>            credentials.

Since I'm talking about an access control decision, it seems that "subject" is the right word.  The subject may be proving that it's working on behalf of a specific principal, but it might just be proving to be a particular process running on my behalf.
>  
> "Principal authentication" seems a little verbose, though.
>
But I can live with it.  My only concern is that I might get some push back, which hasn't happened with "subject authentication" yet.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp


> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org [mailto:cap-talk-
> bounces at mail.eros-os.org] On Behalf Of David-Sarah Hopwood
> Sent: Monday, September 07, 2009 6:50 PM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] Definition of Authentication on
> wiki.erights.org
> 
> Karp, Alan H wrote:
> > David-Sarah Hopwood wrote:
> >> No, it shows that "authentication" is used with at least two
> distinct
> >> meanings. But do we want to use the word "authentication" for two
> different
> >> things, when we have other words (such as "verification") that are
> clearer
> >> and more applicable to one of them? Note that it is the technical
> jargon
> >> meaning of "authentication" in computer science that we are
> attempting to
> >> define, *not* the everyday meaning (or the meaning in some other
> field
> >> such as the study of antiquities).
> >
> > I ran into a problem when describing ZBAC to people in the
> > US Department of Defense.  It took a couple of years for me to
> realize that
> > they were using the word "authentication" in its broader sense.
> Given that
> > this is a large community with widespread influence, I chose to
> change
> > rather than try to change their usage.  I now use "subject
> authentication"
> > when I describe ZBAC, and I haven't experienced the disconnect since.
> >
> > Just so you know the problem isn't just one of the military, I ran
> into the
> > same problem at SOUPS.  Lorrie Cranor and MarcS were talking past
> each other
> > about authentication versus authorization.  It turns out she was
> talking
> > about authenticating
> 
> [i.e. validating]
> 
> > the authorization.  Here, too, being careful to use the term
> > "subject authentication" helped.
> 
> I'd be quite happy to use a term that would be less ambiguous to
> others.
> 
> However, "subject authentication" is not quite right for the concept
> I'd
> like to define, because the principal that is being authenticated isn't
> necessarily a subject.
> 
> subject:   an active entity that makes requests in an access control
> system.
> 
> principal: an entity that can be authenticated; that is, that holds
>            credentials (also called authentication factors) allowing it
>            to be distinguished from other principals that do not hold
> those
>            credentials.
> 
> For instance, if I want to authenticate the author of a document, the
> author
> is by definition a principal, but there isn't necessarily any access
> control
> system in which the author is acting as a subject (or if there is, I
> don't
> have any reason to care, absent other constraints on the problem).
> 
> "Principal authentication" seems a little verbose, though.
> 
> --
> David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com
> 
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk