Thus spake <Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu>
Authentication: Yes, you seem to be Jeffrey Dahlmer.
Authorization: You say you'd like to borrow a steak knife?
Usually clears up the confusion in all but the most sluggish mind.. ;)
That's a very clear example, thanks.
However, "authorization" usually implies "authentication" beforehand.
Does anybody have a reference on an authorization scheme that
doesn't imply any authentication?
In a sense: the IETF lists (and most others) use a null authentication
method, i.e. you trust whatever is in the message. After that (null) step,
we apply weak authorization, i.e. whether the sender is on the approved
list.
I've seen lots of proposals to improve the former-- hardly difficult -- but
none for the latter. Perhaps using precise terminology will help focus
efforts in the right area.
S