[cap-talk] Definition of Authentication on wiki.erights.org

Karp, Alan H alan.karp at hp.com
Sun Sep 20 21:34:02 PDT 2009 

Rob Meijer wrote:
> 
> When describing access control mechanisms I currently use a 10
> granularity
> levels:
> 
> 1) Object method/facet granularity
> 2) Object granularity
> 3) Class granularity
> 4) Package granularity
> 5) Process granularity
> 6) Persistent process granularity
> 7) Account granularity/ program granularity
> 8) Person granularity/program author granularity
> 9) Company granularity/ Organization granularity
> 10) Society granularity/ culture granularity.
>
These are useful categories when talking about access control mechanisms, but I was talking about the access control process.  There is overlap between these two, but they are not the same.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp


> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org [mailto:cap-talk-
> bounces at mail.eros-os.org] On Behalf Of Rob Meijer
> Sent: Tuesday, September 08, 2009 11:09 AM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] Definition of Authentication on
> wiki.erights.org
> 
> On Tue, September 8, 2009 17:43, Karp, Alan H wrote:
> > Exactly.  Identification, authentication, and authorization are
> distinct
> > steps.
> 
> Identification and (subject) authentication are only distinct steps
> when
> crossing a conceptual or granularity level. On the same conceptual and
> granularity level authentication is 'part of' identification.
> 
> When describing access control mechanisms I currently use a 10
> granularity
> levels:
> 
> 1) Object method/facet granularity
> 2) Object granularity
> 3) Class granularity
> 4) Package granularity
> 5) Process granularity
> 6) Persistent process granularity
> 7) Account granularity/ program granularity
> 8) Person granularity/program author granularity
> 9) Company granularity/ Organization granularity
> 10) Society granularity/ culture granularity.
> 
> Not all levels are always meaningful, often some are missing.
> 
> 
> > The analogy in a Unix system is
> >
> > Identification: Setting up an account.
> 
> That is just identification at level 8, where the person identity at
> level
> 8 gets bound to account identity at level 7 border gets crossed and
> level
> 7 8 and 9 get interconnected.
> 
> You can transpose the same concept to level 5/7/8 for your example.
> 
> > Authentication: How you know to let a process use the privileges
> granted
> > to an account.
> > Authorization:  Adding an entry to an access control list.
> > Access Check:   Checking the ACL before honoring a request.
> 
> In my view it is extremely important that definitions hold when
> transposed
> to other granularity levels. In my interpretation of active object and
> subject, authentication and identification, I see no difference between
> the different granularity levels. I'm not sure about principle after
> reading David-Sara's arguments. It however seems to me that many of us
> are
> locking down definitions at a particular level of granularity, what
> IMHO
> is counter productive in us trying to reason about access control. I
> feel
> that any definition we have for any access control related concept
> should
> be granularity level neutral so that we may apply our patterns and
> reasoning at any set of granularity levels.
> 
> 
> 
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list