On Tue, 17 May 2005, wayne wrote:
As others have mentioned, the subject of "authorization" vs
"authentication" vs "validation" vs ... has been discussed many times,
both here and on the MARID list. I expressed my view on this subject
several times, but Meng didn't apply my suggested changes and the
draft remains pretty much as Meng had it.
Its fine for you to be using both authorize and authenticate, but
you have to be sure which applies to which. So some things to keep
in mind about terminology (either this helps or it confuses you):
1. Authorization is given (by means of proper credentials) and needs to be
verified while authentication is negotiated.
2. You do not authenticate mail message (but it can be authentic...), but
you can confirm that it is authorized. Note: having confirmed authorization
for one identity does not mean entire message and transmission is authorized,
it all depends on who you consider to be a sender.
2. Server does not authorize a client system, it authenticates it.
At the same time basis for authentication maybe an authorization given
by 3rd party or it maybe based on having authorized the party responsible
for initiation of transmission.
Good enough or did I confuse you even more?
* In the "security field" there are apparently very exact defintions
of "authorize" and "authentic", along with terms like
"credentials". Despite reading the arguments from several people
who all claimed to understand these terms, I never quite groked
them.
There are no exact definitions that everyone agrees with and while it
might be fun to cause security people to fight about such details as
to what to call particular step in the process, its probably not worth
it unless you just want them distracted from some other problem (i.e.
see last discussion on namedroppers about spf on why this maybe of
interest to do sometimes).
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net