[cap-talk] Basic definitions and training material (Definition of Authentication on wiki.erights.org)

Rob Meijer capibara at xs4all.nl
Wed Sep 9 10:32:56 PDT 2009 

I just translated two short presentations that (the dutch versions) I have
been using as part of training material on security basics a few times.

http://polacanthus.net/review/02_identity.pdf
http://polacanthus.net/review/03_authority.pdf

Possibly these presentations may be useful in the current discussion and
visa versa I might be able to tune my presentations based on your inputs.


Rob

On Tue, September 8, 2009 20:08, Rob Meijer wrote:
> On Tue, September 8, 2009 17:43, Karp, Alan H wrote:
>> Exactly.  Identification, authentication, and authorization are distinct
>> steps.
>
> Identification and (subject) authentication are only distinct steps when
> crossing a conceptual or granularity level. On the same conceptual and
> granularity level authentication is 'part of' identification.
>
> When describing access control mechanisms I currently use a 10 granularity
> levels:
>
> 1) Object method/facet granularity
> 2) Object granularity
> 3) Class granularity
> 4) Package granularity
> 5) Process granularity
> 6) Persistent process granularity
> 7) Account granularity/ program granularity
> 8) Person granularity/program author granularity
> 9) Company granularity/ Organization granularity
> 10) Society granularity/ culture granularity.
>
> Not all levels are always meaningful, often some are missing.
>
>
>> The analogy in a Unix system is
>>
>> Identification: Setting up an account.
>
> That is just identification at level 8, where the person identity at level
> 8 gets bound to account identity at level 7 border gets crossed and level
> 7 8 and 9 get interconnected.
>
> You can transpose the same concept to level 5/7/8 for your example.
>
>> Authentication: How you know to let a process use the privileges granted
>> to an account.
>> Authorization:  Adding an entry to an access control list.
>> Access Check:   Checking the ACL before honoring a request.
>
> In my view it is extremely important that definitions hold when transposed
> to other granularity levels. In my interpretation of active object and
> subject, authentication and identification, I see no difference between
> the different granularity levels. I'm not sure about principle after
> reading David-Sara's arguments. It however seems to me that many of us are
> locking down definitions at a particular level of granularity, what IMHO
> is counter productive in us trying to reason about access control. I feel
> that any definition we have for any access control related concept should
> be granularity level neutral so that we may apply our patterns and
> reasoning at any set of granularity levels.
>
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
>

More information about the cap-talk mailing list