On Tuesday, April 1, 2003, at 09:52 AM, Eric D. Williams wrote:
As a security expert I would have to insert that authentication is a
key
element in making an authorization determination.
agree completely! didn't mean to imply I didn't. But he keeps telling
me stories of sites that build authentication schemes and think that
authorizes people, to (to him) humorous results. you can't authorize
without authentication. But authentication merely gives you a handle to
start authorizing.
effective. I don't think that is an argument against authentication
but rather
the authorization must follow (and I think was implicit in the
statement,
though the thought could be inferred).
yes. thanks for making that explicit. I should have.
But it does buy you the fact that you know "they are who they say they
are", in
this example through some objective third party, then what you want to
allow
them to do is up to you, you can't depend on the 'stranger' to tell
you what
they are authorized to do.
Yes. authentication at least starts giving us a handle here, but it's
merely the start.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg