[cap-talk] Definition of Authentication on wiki.erights.org
Rob Meijer
capibara at xs4all.nl
Tue Sep 8 11:08:47 PDT 2009
On Tue, September 8, 2009 17:43, Karp, Alan H wrote:
> Exactly. Identification, authentication, and authorization are distinct
> steps.
Identification and (subject) authentication are only distinct steps when
crossing a conceptual or granularity level. On the same conceptual and
granularity level authentication is 'part of' identification.
When describing access control mechanisms I currently use a 10 granularity
levels:
1) Object method/facet granularity
2) Object granularity
3) Class granularity
4) Package granularity
5) Process granularity
6) Persistent process granularity
7) Account granularity/ program granularity
8) Person granularity/program author granularity
9) Company granularity/ Organization granularity
10) Society granularity/ culture granularity.
Not all levels are always meaningful, often some are missing.
> The analogy in a Unix system is
>
> Identification: Setting up an account.
That is just identification at level 8, where the person identity at level
8 gets bound to account identity at level 7 border gets crossed and level
7 8 and 9 get interconnected.
You can transpose the same concept to level 5/7/8 for your example.
> Authentication: How you know to let a process use the privileges granted
> to an account.
> Authorization: Adding an entry to an access control list.
> Access Check: Checking the ACL before honoring a request.
In my view it is extremely important that definitions hold when transposed
to other granularity levels. In my interpretation of active object and
subject, authentication and identification, I see no difference between
the different granularity levels. I'm not sure about principle after
reading David-Sara's arguments. It however seems to me that many of us are
locking down definitions at a particular level of granularity, what IMHO
is counter productive in us trying to reason about access control. I feel
that any definition we have for any access control related concept should
be granularity level neutral so that we may apply our patterns and
reasoning at any set of granularity levels.
More information about the cap-talk
mailing list