ietf-mxcomp
[Top] [All Lists]

RE: Authentication and Authorization

2004-03-12 07:14:47

   Can we live with Hadmut's definition of "authorization"?
(Keeping in mind that others will have different definitions)

Not if we want the spec to be comprehensible in the security
community.

Oh, I thought I came from the security community.

You cited secondary and marketting litterature. I wrote the
SAML spec.

If there is any different definition used in the "security
community", could you give me a reference? That's interesting.

We defined the following

Authentication  - The PROCESS of determining that "alice" is
                        Alice
                        - The decision arrived at by an authentication
                        process

Authorization Decision
                        - A statement by the controller of a resource
                        granting access to Alice

Authorization Policy
                        - A statement of the criteria used to make
                        an Authorization Decision.


We are not putting permissions data in the DNS here, we are
putting credentials data in the DNS and stating that recipients
should verify that mail messages purporting to originate from
the zone are authentic with respect to a credential.

"credentials" is a term commonly used for attributes of an
entity. What we keep in the DNS are authorization records, not
really credentials. Again, could you give a citation for your
definition?

A credential is a piece of data used to authenticate an individual. 
usually it is the part carried by the user though rather than the
part used for verification.

E.g. A digital certificate, a password, a biometric profile.


There is some precedent for calling the information in the DNS 
a credential, but there is none for calling it an authorization.
The owner of the resource here is the receiver of the message, 
it is the receipt of email service that is being controlled.

                Phill


<Prev in Thread] Current Thread [Next in Thread>