authentication and authorization

Anton Stiglic astiglic at okiok.com
Tue Jul 6 11:20:39 EDT 2004 


>-----Original Message-----
>From: John Denker [mailto:jsd at av8n.com] 
>Sent: 5 juillet 2004 18:28
>To: Anton Stiglic
>Cc: cryptography at metzdowd.com; 'Ian Grigg'
>Subject: Re: authentication and authorization

>[...]
>We should assume that the participants on this list have a
>goodly amount of technical expertise.  We should use the
>established technical definitions, unless there is a good
>reason not to.

Well, there is nt established technical definition for "digital identity",
but most definitions seem to focus to what I defined it as.

> [...]
>> A digital identity is usually composed of a set of identifiers (e.g. 
>> Unix ID, email address, X.500 DN, etc.) and other information 
>> associated to an entity (an entity can be an individual, computer 
>> machine, service, etc.). "Other information" may include usage 
>> profiles, employee profiles, security profiles, cryptographic keys, 
>> passwords, etc.

>That is very unhelpful, because it lumps together two types
>of things that really ought to be treated differently.
>  -- I want my email address to be widely known.  I want my
>   public keys to be widely known.
>  -- I want my password to be secret.  I want my private keys
>   to be secret.

The term "digital identity" is not intended to help you solve the problem.
In a digital identity there are parts that an individual wants to keep
private, other parts can be public (others should be divulged to only
certain individuals, possibly via a zero-knowledge proof that will convince
the verifier, without giving him enough information to be able to prove the
property to someone else).  You can refer to the different parts of a
digital identity using different terms if you want, but the term "digital
identity" usually includes all of those parts.  Relating to the real world,
you might have a fetish for high-healed pink leather boots, which is part of
your identity (something that characterizes you), but not want others to
know about that.  But its still part of your identity, just as your SSN
number is.


>> Identity can be stolen in the sense that this information can be 
>> copied, revealed to someone, and that someone can use it in order to 
>> identify and authenticate himself to a system and get authorization 
>> to access resources he wouldn't normally be allowed to.
>> 
>> The following document has a nice diagram on the first page of 
>> appendix A: http://www.ec3.org/Downloads/2002/id_management.pdf

>Again that (including the reference) misses the point and
>blurs things that really need to be kept distinct.


You are mixing up two problems, that of defining digital identity, and that
of preventing unauthorized individuals to access resources that they are not
supposed to (via identity theft for example), as well as privacy.


>The focus _must_ be on the transaction, not on the ID.
>Suppose I carry out a transaction with the jewellery
>store.  Did I authorize a $3.00 payment for a new watch
>battery, or a $30,000.00 payment for diamond necklace?

You are talking about the problem of non-repudiation here...

>[...]
>Collecting more and more ID information about me is at
>best marginally helpful to the relying party;  "ID" might
>tell the RP whether I *could* have authorized a particular
>transaction (was it within my account limit?) but "ID"
>cannot possibly tell the RP whether I *did* authorize a
>particular transaction.  And (!!) don't forget the
>converse:  If the transaction is legit, there is no
>reason why my ID needs to be involved.  Cash transactions
>are still legal!

I agree with that last part.  It relates to the whole thing about attribute,
vs identity vs individual authentication that I mentioned.  I favour
attribute authentication in most cases.  And with stuff like Digital
Credentials you can also have accountability even with attribute
authentication (for example if forced by law).

>The proper use of _identification_ is obvious:  In some
>exceptional circumstances it is important to be able to
>connect a real meat-space _identity_ with a particular
>event.  For instance, if there is a hit-and-run accident,
>it really helps if a witness notes the license number of
>the car.  (Been there, done that.)

Again, this relates exactly to my discussion about attribute, identity and
individual authentication.  Things like Digital Credentials is what is going
to help you out, not re-defining the term "digital identity".

--Anton




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list