[cap-talk] Definition of Authentication on wiki.erights.org
Matej Kosik
kosik at fiit.stuba.sk
Thu Sep 10 23:17:05 PDT 2009
Karp, Alan H wrote:
> Matej Kosik wrote:
>> For me, the term "authentication" was mostly empty so I was willing to
>> fill it with something useful. David-Sarah's definition, now stated
>> here:
>>
>> http://wiki.erights.org/wiki/Authentication
>>
> I think it would be more precise to say
>
> "Given one end of a transmission channel, an authentication procedure establishes whose credentials were presented at the other end."
>
> Without being physically present, there is no way to know which person is using the credentials. That's one reason I'm careful to distinguish identification from authentication.
This refinement makes sense.
(The definition would become more complicated but also more precise. It
might perhaps be a good idea to present a sequence of definitions from:
- simple and imprecise
to
- (unfortunatelly) complicated but precise
>
> The bigger problem I have with this definition is that it does not conform to the meaning the wider community uses. That's what got me in trouble with the US DoD. What do you think of the following?
>
> "Authentication is the validation of a specific property of an object, subject, or principal.
>
> Examples: Role, e.g., Manager; Attributes, e.g., citizenship; Integrity; Identity
>
> Because of its unique importance, we use the term 'subject/principal authentication' to distinguish the last of these from other uses."
If my interpretation the terms `subject' and `principal' is correct
(explained in my response to Rob today)
Then I would leave out considering `objects' and `subjects' from the
definition.
Is broadening of the definition beyond estabilishing principal's
identity essential?
This remind me of normals forms in databases.
If all other properties we have in mind (citizenship, role, ...) can be
derived from identity, why do we need to mention all those properties in
the definition and thus making it more complicated? (and less precise
because everytime some new principal's property appears, we would have
to update the definition)
--
Matej Kosik
More information about the cap-talk
mailing list