authentication and authorization (was: Question on the state of the security industry)

[Anton Stiglic]

-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of John Denker
Sent: 1 juillet 2004 14:27
To: cryptography at metzdowd.com
Cc: Ian Grigg
Subject: Re: authentication and authorization (was: Question on the state of
the security industry)

>1) For starters, "identity theft" is a misnomer.  My identity
>is my identity, and cannot be stolen.  The current epidemic
>involves something else, namely theft of an authenticator ...

Identity has many meanings.   In a typical dictionary you will find several
definitions for the word identity.  When we are talking about information
systems, we usually talk about a digital identity, which has other meanings
as well. If you are in the field of psychology, philosophy, or computer
science, identity won't mean the same thing. One definition that relates to
computer science that I like is the following:
"the individual characteristics by which a thing or person is recognized or
known".

A digital identity is usually composed of a set of identifiers (e.g. Unix
ID, email address, X.500 DN, etc.) and other information associated to an
entity (an entity can be an individual, computer machine, service, etc.).  
"Other information" may include usage profiles, employee profiles, security
profiles, cryptographic keys, passwords, etc.

Identity can be stolen in the sense that this information can be copied,
revealed to someone, and that someone can use it in order to identify and
authenticate himself to a system and get authorization to access resources
he wouldn't normally be allowed to.

The following document has a nice diagram on the first page of appendix A:
http://www.ec3.org/Downloads/2002/id_management.pdf

I came up with a similar diagram for a presentation I recently gave, but
instead of talking about primary and secondary identifying documents I
mention primary and secondary identifying information in general, and I also
have an "identifiers" circle situated beside the bigger circle, containing
identifiers that belong to an entity but are not linkable to the entity
(talking about nyms and pseudonyms).  Recall that there are basically 3
types of authentication:  individual authentication (such as via biometrics,
where you use primary identifying information to authenticate someone),
identity authentication (where the identity may or may not be linkable to an
individual), and attribute authentication (where you need reveal nothing
more than the possession of a certain attribute, such as can be done with
Stefan Brands digital credentials).

--Anton
 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com