ietf-mxcomp
[Top] [All Lists]

Re: terminology: authentication / authorization

2004-07-09 07:30:27

Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:

This groups needs to stop re-defining well-established security
terminology, especially when the primary effect of those redefinitions
is to make everything less consistent and precise, not more.

   I've been trying to hunt down useful definitions in common use;
I can supply links if anyone's a glutton for punishment.

   The only source I feel able to recommend for our use is RFC 2828:
"Internet Security Glossary", May 2000. It lists several categories
of entries:

- "I" identifies a RECOMMENDED Internet definition.
- "N" identifies a RECOMMENDED non-Internet definition.
- "O" identifies a definition that is not recommended as the first choice
      for Internet documents but is something that authors of Internet
      documents need to know.
- "D" identifies a term or definition that SHOULD NOT be used in Internet
      documents.
- "C" identifies commentary or additional usage guidance.

   From RFC 2828, I extract:

] accreditation
]   (I) An administrative declaration by a designated authority that
]       an information system is approved to operate in a particular
]       security configuration with a prescribed set of safeguards.
]       [FP102] (See: certification.)
]   (C) An accreditation is usually based on a technical certification
]       of the system's security mechanisms. The terms "certification"
]       and "accreditation" are used more in the U.S. Department of
]       Defense and other government agencies than in commercial
]       organizations. However, the concepts apply any place where
]       managers are required to deal with and accept responsibility
]       for security risks. The American Bar Association is developing
]       accreditation criteria for CAs.
] 
] authentication
]   (I) The process of verifying an identity claimed by or for a
]       system entity. (See: authenticate, authentication exchange,
]       authentication information, credential, data origin
]       authentication, peer entity authentication.)
]   (C) An authentication process consists of two steps:
]       1. Identification step: Presenting an identifier to the
]          security system. (Identifiers should be assigned carefully,
]          because authenticated identities are the basis for other
]          security services, such as access control service.)
]       2. Verification step: Presenting or generating authentication
]          information that corroborates the binding between the entity
]          and the identifier. (See: verification.)
]   (C) See: ("relationship between data integrity service and
]       authentication services" under) data integrity service.
] 
] authorization
]   (I) (1.) An "authorization" is a right or a permission that is
]            granted to a system entity to access a system resource. 
]       (2.) An "authorization process" is a procedure for granting
]            such rights.
]       (3.) To "authorize" means to grant such a right or permission.
]       (See: privilege.)

   Since only the (I) items are "recommended", is there any reason we
can't live with:

" Accreditation is an administrative declaration by a designated authority
"   that an information system is approved to operate in a particular 
"   security configuration with a prescribed set of safeguards. 

" Authentication is the process of verifying an identity claimed by or
"   for a system entity.

" Authorization is a right or a permission that is granted to a system
"   entity to access a system resource.

--
John Leslie <john(_at_)jlc(_dot_)net>