ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Comments requested on recent appeal to the IESG

2009-02-20 00:01:28
from [Hallam-Baker, Phillip] [Permanent Link] 
Just as a matter of observation, there is not and never has been a security 
requirement to rigidly separate authentication and authorization. Indeed there 
is no real world deployment in which authentication and authorization are not 
conflated to some degree.
 
The separation of authentication and authorization is a matter of 
administrative and operational convenience.
 
It is very rarely the case that every privilege that might potentially be 
granted to a user is known in advance. Hence the benefit of maintaining a 
distinction. But in practice the fact that a party holds a valid authentication 
credential is in itself often (but not always) sufficient to make an 
authorization decision in low-risk situations.
 
Thus an objection based on the mere risk that such a conflation may occur is 
not justified as such conflation has occured in every practical security system 
ever.
 
We do not issue employee authentication badges to non-employees. Thus an 
employee-authentication badge will inevitably carry de-facto authorization for 
any action that is permitted to every employee (like open the office door).
 
The Authorization/Authentication model is in fact broken, in a modern system 
such as SAML you actually have three classes of data with the introduction of 
attributes.

 
________________________________

From: ietf-bounces(_at_)ietf(_dot_)org on behalf of Scott Kitterman
Sent: Thu 2/19/2009 9:32 PM
To: ietf(_at_)ietf(_dot_)org
Subject: Re: Comments requested on recent appeal to the IESG



On Thu, 19 Feb 2009 18:04:31 -0800 Dave CROCKER <dhc2(_at_)dcrocker(_dot_)net> 
wrote:

This appeal lacks merit on basic points.


+1.  I don't think I could have said it better myself. 

I was involved in the MARID and DKIM working groups and was involved in the
group that helped put together this draft.  All these points have been made
before and got not traction in these various venues.

Scott K
Scott K


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Proposal to create IETF IPR Advisory Board, Hallam-Baker, Phillip
Next by Date:  Weekly posting summary for ietf(_at_)ietf(_dot_)org, Thomas Narten
Previous by Thread:  Re: Comments requested on recent appeal to the IESG, Scott Kitterman
Next by Thread:  RE: Comments requested on recent appeal to the IESG, Stephen Kent
Indexes:  [Date] [Thread] [Top] [All Lists]