The Internet Security glossary is not a definitive work, it is an
attempt to describe definitions that already existed in the field.
The real definition of the terms authentication and authorization
is Butler Lampson's work in the 1970s.
The problem with pulling terms from the glossary is that there are
a bunch of assumptions built into the definitions that have to be
understood. It is even worse because the typography does not allow
terms of art to be distinguished.
The computer security nomenclature was developed for non-networked
machines. Granting the right to perform an action is synonymous
with the ability to perform it.
Take a look at the definition itself and this becomes clear:
An "authorization" is a right or a permission that is
granted to A SYSTEM entity to access A SYSTEM resource.
An authorization is NOT a right that is granted to an entity
on one system to access a resource on another system which is
what people are trying to make it.
According to the glossary what we have is a credential:
$ credential(s)
(I) Data that is transferred or presented to establish either a
claimed identity or the authorizations of a system entity. (See:
authentication information, capability, ticket.)
Most authentication credentials conflate authorization information
in some degree. A username and password record conflates permission
to log on to the machine, an SSL certificate conflates permission to
turn on the padlock icon. This does not mean that it is useful to
call authentication and authorization the same thing.
A MARID record answers the question 'does the mail come from the
purported domain', that makes it an authentication credential.
The motives of the writer are completely irrelevant, what is
important here is the interpretation of the reader, that is the
only thing that gives the record meaning.
-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of John
Leslie
Sent: Friday, July 09, 2004 10:30 AM
To: Dave Crocker
Cc: Meng Weng Wong; ietf-mxcomp(_at_)imc(_dot_)org
Subject: Re: terminology: authentication / authorization
Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
This groups needs to stop re-defining well-established security
terminology, especially when the primary effect of those
redefinitions
is to make everything less consistent and precise, not more.
I've been trying to hunt down useful definitions in common use;
I can supply links if anyone's a glutton for punishment.
The only source I feel able to recommend for our use is RFC 2828:
"Internet Security Glossary", May 2000. It lists several categories
of entries:
- "I" identifies a RECOMMENDED Internet definition.
- "N" identifies a RECOMMENDED non-Internet definition.
- "O" identifies a definition that is not recommended as the
first choice
for Internet documents but is something that authors of Internet
documents need to know.
- "D" identifies a term or definition that SHOULD NOT be used
in Internet
documents.
- "C" identifies commentary or additional usage guidance.
From RFC 2828, I extract:
] accreditation
] (I) An administrative declaration by a designated authority that
] an information system is approved to operate in a particular
] security configuration with a prescribed set of safeguards.
] [FP102] (See: certification.)
] (C) An accreditation is usually based on a technical certification
] of the system's security mechanisms. The terms "certification"
] and "accreditation" are used more in the U.S. Department of
] Defense and other government agencies than in commercial
] organizations. However, the concepts apply any place where
] managers are required to deal with and accept responsibility
] for security risks. The American Bar Association is developing
] accreditation criteria for CAs.
]
] authentication
] (I) The process of verifying an identity claimed by or for a
] system entity. (See: authenticate, authentication exchange,
] authentication information, credential, data origin
] authentication, peer entity authentication.)
] (C) An authentication process consists of two steps:
] 1. Identification step: Presenting an identifier to the
] security system. (Identifiers should be assigned carefully,
] because authenticated identities are the basis for other
] security services, such as access control service.)
] 2. Verification step: Presenting or generating authentication
] information that corroborates the binding between
the entity
] and the identifier. (See: verification.)
] (C) See: ("relationship between data integrity service and
] authentication services" under) data integrity service.
]
] authorization
] (I) (1.) An "authorization" is a right or a permission that is
] granted to a system entity to access a system resource.
] (2.) An "authorization process" is a procedure for granting
] such rights.
] (3.) To "authorize" means to grant such a right or permission.
] (See: privilege.)
Since only the (I) items are "recommended", is there any reason we
can't live with:
" Accreditation is an administrative declaration by a
designated authority
" that an information system is approved to operate in a particular
" security configuration with a prescribed set of safeguards.
" Authentication is the process of verifying an identity claimed by or
" for a system entity.
" Authorization is a right or a permission that is granted to a system
" entity to access a system resource.
--
John Leslie <john(_at_)jlc(_dot_)net>