[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cap-talk
Subject:    Re: [cap-talk] What's an authenticated authentication?
From:       "Rob Meijer" <capibara () xs4all ! nl>
Date:       2009-07-30 7:36:09
Message-ID: 69070c0316c430f2083d08e6c76edb4a.squirrel () webmail ! xs4all ! nl
[Download RAW message or body]

On Thu, July 30, 2009 08:26, Matej Kosik wrote:
> Matej Kosik wrote:
>> Rob Meijer wrote:
>>> On Wed, July 29, 2009 10:23, Matej Kosik wrote:
>>>> Rob Meijer wrote:
>>>>> While it may be correct, it took me a few times to catch the
>>>>> reasoning
>>>>> behind it. I feel taking this track in definition might be seeding
>>>>> some
>>>>> unneeded confusion.
>>>> What kind of confusion? Isn't the definition both:
>>>> - correct
>>>> - and concise?
>>>>
>>>> Can you give some examples of authentication that the presented
>>>> definition does not fit?
>>>>
>>>> Can you give some examples which will indicate that the definition is
>>>> confusing? (for us)
>>> Not within OC or AAA context no.
>>>
>>>> It may be confusing for others, but is not always avoidable and we
>>>> should not trade our confusion for non-confusion of others. What can
>>>> we
>>>> do is to explain our viewpoint and this can be succesfully done.
>>> I feel it may be unneeded confusing in that it defines an essentially
>>> different angle for 'our' relevant subset of the normal 'validation of
>>> authenticity'. A valid angle, but I feel that defining our (the OC or
>>> AAA
>>> subset) exactly as a subset may be a bit less confusing to others while
>>> being just as useful for us.
>>
>> I cannot think of an example where the currently stated definition:
>> http://wiki.erights.org/wiki/Authentication
>> would not cover well things that should be regarded as authentication.
>
>> The definition you proposed seems to me more confusing because it does
>> not directly define authorization.
>
> Sorry, I meant authentication here.


It defines authentication as what I feel is the common interpretation:
'the process of validating the authenticity of an entity'. It further puts
an important constraint on the type of entity being authenticated as to
define 'our' subset of authentication when the term authentication is used
in an AAA context (the context most relevant to us I believe) having to
either be a source of authority or a target of accountability.

I feel it am important note in the dynamic least authority approach,to
conclude that for a single action the source of authority and the target
of accountability may de totally different entities. The target of
accountability will I think always fit your definition, however for the
source of accountability I'm not sure, especially for examples such as
SAML assertions as caps for what I feel it is the cap representation
itself that as source of authority is being authenticated while it is
being used over a communication channel for what the 'principal is
probably at the other end' is not that relevant in the authentication, and
your definition although possibly correct at a different abstraction level
seems quite confusing.

Rob

_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
[prev in list] [next in list] [prev in thread] [next in thread]