identification + Re: authentication and authorization

Ed Gerck egerck at nma.com
Wed Jul 7 14:46:10 EDT 2004 

I believe that a significant part of the problems discussed here is that
the three concepts named in the subject line are not well-defined. This
is not a question of semantics, it's a question of logical conditions
that are at present overlapping and inconsistent.

For example, much of what is called "identity theft" is actually
"authentication theft" -- the stolen credentials (SSN, driver's
license number, address, etc) are used to falsely *authenticate* a
fraudster (much like a stolen password), not to identify. Once we
understand this, a solution, thus, to what is called  "identity theft"
is to improve the *authentication mechanisms*, for example by using
two-factor authentication. Which has nothing to do with identification,
impersonation, or even the security of identification data.

In further clarifying the issue, it seems that what we need first is
a non-circular definition for identity. And, of course, we need a
definition that can be applied on the Internet.  Another important
goal is to permit a safe automatic processing of identification,
authentication and authorization [1].

Let me share with you my conclusion on this, in revisiting the
concept of identification some time ago. I found it useful to ask
the meta question -- what is identification, that we can identify it?
In short, a useful definition of identification should also work
reflexively and self-consistently [2].

In this context, what is "to identify"? I think that "to identify"
is to look for connections. Thus, in identification we should look
for logical and/or natural connections. For example:

- between a fingerprint and the person that has it,

- between a name and the person that answers by that name,

- between an Internet host and a URL that connects to it,

- between an idea and the way we can represent it in words,

- conversely, between words and the ideas they represent,

- etc.

Do you, the reader, agree?

If you agree you have just identified. If you do not agree, likewise
you have identified! The essence of identification is thus to find
connections -- where absence of connections also counts.

Identification can thus be understood not only in the sense of an
"identity" connection, but in the wider sense of "any" connection.
Which one to use is just a matter of protocol expression, need, cost
and (very importantly) privacy concerns.

The word "coherence" is useful here, meaning any natural or logical
connection. To identify is to look for coherence. Coherence with and
between a photo, a SSN, an email address, a public-key and other
attributes: *Identification is a measure of coherence*.

The same ideas can be applied to define "authentication" and
"authorization" in a self-consistent way, without overlapping with
each other.

Comments?

Cheers,
Ed Gerck

[1] The effort should also aim to safely automate the process of reliance
by a relying-party. This requires path processing and any algorithm to
eliminate any violations of those policies (i.e., vulnerabilities) that
might be hard to recognize or difficult to foresee, which would
interfere with the goal of specifying a wholly automated process of
handling identification, authentication and authorization.

[2] This answer should be useful to the engineering development of all
Internet protocols, to all human communication modes, to all
information transfer models and anywhere one needs to reach beyond
one's own point in space and time.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list