[cap-talk] Definition of Authentication on wiki.erights.org

Mon Sep 7 23:19:48 PDT 2009

On Tue, September 8, 2009 05:53, David-Sarah Hopwood wrote:
> Karp, Alan H wrote:
>> David-Sarah Hopwood wrote:
>>> subject:   an active entity that makes requests in an access control
>>> system.
>>>
>>> principal: an entity that can be authenticated; that is, that holds
>>>            credentials (also called authentication factors) allowing it
>>>            to be distinguished from other principals that do not hold
>>> those
>>>            credentials.
>>
>> Since I'm talking about an access control decision, it seems that
>> "subject"
>> is the right word.
>>
>> The subject may be proving that it's working on behalf of a specific
>> principal, but it might just be proving to be a particular process
>> running on my behalf.
>
> If it is just proving to be a particular process/subject -- i.e. if
> in the system under consideration, processes can both make requests
> and be *directly* authenticated as processes (rather than as acting on
> behalf of a user or as being instances of particular programs), then
> "subject authentication" would be correct. But that would be quite an
> unusual system; neither capability nor ACL-like systems normally do this.
> If process authentication were used for access control, it would have
> severe problems due to permission management overhead.

MinorFs ( http://minorfs.polacanthus.net/ ) absolutely uses the process
(either as the non persistent unix process, or as an incarnation of a
pseudo persistent process) as base granularity level. For example a pseudo
persistent process its identity gets
proclaimed/validated/identified/authenticated (depending on what
definition we use) based on a hash of information gathered from the Linux
/proc/$PID/ facility.

The fact that MinorFs is indeed quite an unusual system, but not as you
seem to infer with severe permission management overhead.

> If it were used
> for auditing/accountability, the process ids wouldn't mean anything to
> human auditors.

This is an implementation detail. PpPID (Pseudo persistent process id)
creation could log executable paths, executable hashes and any relevant
user identity for auditing purposes. Delegation between PPID's could also
be logged for auditing purposes.

>>> "Principal authentication" seems a little verbose, though.
>>
>> But I can live with it.  My only concern is that I might get some push
>> back, which hasn't happened with "subject authentication" yet.
>
> My point is just that in almost all cases, the principal isn't a subject.
> That is, users are not subjects, and processes are not normally
> directly authenticated as such (sometimes, they are authenticated
> as being instances of a program, but then it is the program that is
> the principal, not a particular instance of it).
>
> Therefore "subject authentication" is not correct for the term that
> distinguishes the kind of authentication that Matej and I are talking
> about, from other uses of "authentication" (which I would prefer to
> call "validation").

I fail to see any concrete difference between subjects and principles in
that your definition of a principle seems to align with what I would
consider a subject.

With respect to validation and identification I would like to suggest that
even with subject/principle authentication, the focus of the word
authentication seems to be more on 'validating' that the proclaimed
subject/principle on the other end is authentic, than on determining what
subject/principle is on the other end. This while the same process is
simultaneously used for identification, that IMO fits definition 1.

Possibly (I admit I haven't fully thought this through) we could define
'subject/principle identification' (1) as a combination of a 'subject 
proclamation' and 'subject authentication'.

That is, if I have a username 'rob' and a password 'freebuldibub', this
would mean that I would, to identify myself, first proclaim to posses the
an identity attribute valued 'rob', after what I authenticate this
providing the password as proof of the authenticity of my robness.

It is the validation part of identification that I would refer to as
subject/principle authentication.