[cap-talk] What's an authenticated authentication?
Ludovic Courtès
I thought this list would be a good place to get feedback about an API I
stumbled upon:
http://acegisecurity.org/acegi-security/apidocs/org/acegisecurity/AuthenticationManager.html
Authentication authenticate(Authentication authentication)
throws AuthenticationException
Attempts to authenticate the passed Authentication object, returning
a fully populated Authentication object (including granted
authorities) if successful.
Looking at the definitions of `authenticate' and `authentication' makes
me wonder about the meaning of this API in English (from WordNet):
1. (1) authenticate -- (establish the authenticity of something)
1. (7) authenticity, genuineness, legitimacy -- (undisputed credibility)
1. authentication, hallmark, assay-mark -- (a mark on an article of
trade to indicate its origin and authenticity)
2. authentication, certification -- (validating the authenticity of
something or someone)
So this method literally "establishes the authenticity of a mark that
validates the authenticity of something"?
It's also pretty far from the definition of `authentication' in papers
such as [0].
Thoughts?
Thanks,
Ludo'.
[0] http://mumble.net/~jar/pubs/secureos/secureos.html
_______________________________________________
cap-talk mailing list
cap-...@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
Rob Meijer
> Hello,
>
> I thought this list would be a good place to get feedback about an API I
> stumbled upon:
>
> http://acegisecurity.org/acegi-security/apidocs/org/acegisecurity/AuthenticationManager.html
>
> Authentication authenticate(Authentication authentication)
> throws AuthenticationException
>
> Attempts to authenticate the passed Authentication object, returning
> a fully populated Authentication object (including granted
> authorities) if successful.
>
> Looking at the definitions of `authenticate' and `authentication' makes
> me wonder about the meaning of this API in English (from WordNet):
>
> 1. (1) authenticate -- (establish the authenticity of something)
>
> 1. (7) authenticity, genuineness, legitimacy -- (undisputed credibility)
>
> 1. authentication, hallmark, assay-mark -- (a mark on an article of
> trade to indicate its origin and authenticity)
> 2. authentication, certification -- (validating the authenticity of
> something or someone)
>
> So this method literally "establishes the authenticity of a mark that
> validates the authenticity of something"?
Sounds reasonable, like establishing that a EU passport (that validates
the authenticity of my identity) is a real and unaltered password. My
password authenticates my identity belonging to me, but my passport itself
is also subject to authentication by people and systems checking my
identity.
Ludovic Courtès
"Rob Meijer" <capi...@xs4all.nl> writes:
> On Fri, July 24, 2009 11:02, Ludovic Courtès wrote:
[...]
>> http://acegisecurity.org/acegi-security/apidocs/org/acegisecurity/AuthenticationManager.html
>>
>> Authentication authenticate(Authentication authentication)
>> throws AuthenticationException
>>
>> Attempts to authenticate the passed Authentication object, returning
>> a fully populated Authentication object (including granted
>> authorities) if successful.
[...]
>> So this method literally "establishes the authenticity of a mark that
>> validates the authenticity of something"?
>
> Sounds reasonable, like establishing that a EU passport (that validates
> the authenticity of my identity) is a real and unaltered password. My
> password authenticates my identity belonging to me, but my passport itself
> is also subject to authentication by people and systems checking my
> identity.
Yes, that's right, but just like any other object. Thus, i would rather
expect something like:
Authentication authenticate (Object object)
AIUI, in Rees' "A Security Kernel..." terms, we'd make it clear which
aspect of the object is to be authenticated, so it could look like:
boolean is_authentic (object o, class c)
which would be used as:
is_authentic (my_passport, eu_passport_class)
What do you think?
Thanks,
Ludo'.
Matej Kosik
Ludovic Courtès wrote:
> Hello,
>
> I thought this list would be a good place to get feedback about an API I
> stumbled upon:
>
> http://acegisecurity.org/acegi-security/apidocs/org/acegisecurity/AuthenticationManager.html
>
> Authentication authenticate(Authentication authentication)
> throws AuthenticationException
>
> Attempts to authenticate the passed Authentication object, returning
> a fully populated Authentication object (including granted
> authorities) if successful.
>
> Looking at the definitions of `authenticate' and `authentication' makes
> me wonder about the meaning of this API in English (from WordNet):
>
> 1. (1) authenticate -- (establish the authenticity of something)
This makes sense.
Consider installation of Debian package. If you download something from
some repository, the package is authenticated before it is installed.
The authentication process determines whether given package (given
object) was issued by given Debian community (some subject). This is
useful if your trust in the Debian community is relatively higher than
your trust to any random person.
Many other examples can be given.
(authentication of documents published by subjects)
>
> 1. (7) authenticity, genuineness, legitimacy -- (undisputed credibility)
Sounds like the previous point.
>
> 1. authentication, hallmark, assay-mark -- (a mark on an article of
> trade to indicate its origin and authenticity)
This may be a special case of the previous points.
> 2. authentication, certification -- (validating the authenticity of
> something or someone)
I think this is slighly confusing definition. While we can authenticate
something; I do not think that it makes sense to say that we can
authenticate someone. This confuses two things: authentication and
identification. These are separate concepts.
>
> So this method literally "establishes the authenticity of a mark that
> validates the authenticity of something"?
This sentence makes no sense to me.
>
> It's also pretty far from the definition of `authentication' in papers
> such as [0].
>
> Thoughts?
Already the first sentence:
"Broadly speaking, authentication is any procedure or test that
determines whether an object is trustworthy or genuine."
is disputable. I would delete the word "trustworthy". Authentication
does not estabilish trustworthiness. That is a delusion.
--
Matej Kosik
Toby Murray
> I thought this list would be a good place to get feedback about an API I
> stumbled upon:
>
> throws AuthenticationException
>
> Attempts to authenticate the passed Authentication object, returning
> a fully populated Authentication object (including granted
> authorities) if successful.
At first, I thought this API must be broken. But now I'm not so sure.
I could imagine instances of it that aren't broken, but I haven't
looked at the code in question.
They would appear to implicitly have two subclasses of Authentication
: AuthenticatedAuthentication and UnauthenticatedAuthentication.
This method might properly be defined as
AuthenticatedAuthentication authenticate(UnauthenticatedAuthentication a) ...
> So this method literally "establishes the authenticity of a mark that
> validates the authenticity of something"?
That might sound circular, but it may not be.
Consider a password in the context of a particular user account.
The password is an "authenticator". It proves that whoever submits the
password is "authentic", i.e. is the user that the account belongs to.
[*]
However, the authenticator must be authenticated -- the given password
must be checked against the stored password (or a salted one-way
transformation of it etc.) for the user account.
So authenticating an autheticator may not be as bogus as it sounds at first.
> It's also pretty far from the definition of `authentication' in papers
> such as [0].
[*]
It's pretty easy to confuse "authenticate" and "authorise" (similarly
"authenticator" and "authorisation"). The password above might more
rightly be called an "authorisation". it authorises whoever knows it
to access the account.
In the context of your [0] (Jonathan Rees' "A security kernel based on
the lambda calculus"), the author himself has says
"I think I used the term "authentication" incorrectly in this paper."
(see http://mumble.net/~jar/pubs/secureos/).
The line between the two is not always clear.
Cheers
Toby
Ludovic Courtès
Matej Kosik <ko...@fiit.stuba.sk> writes:
> Ludovic Courtès wrote:
[...]
>> Looking at the definitions of `authenticate' and `authentication' makes
>> me wonder about the meaning of this API in English (from WordNet):
>>
>> 1. (1) authenticate -- (establish the authenticity of something)
>
> This makes sense.
The definitions are from WordNet (these are English definitions, not
taking into account CS usage, should it be different), so they surely
make sense. ;-)
>> So this method literally "establishes the authenticity of a mark that
>> validates the authenticity of something"?
>
> This sentence makes no sense to me.
I was playing devil's advocate by translating literally the method
signature using the above definitions.
> Already the first sentence:
>
> "Broadly speaking, authentication is any procedure or test that
> determines whether an object is trustworthy or genuine."
>
> is disputable. I would delete the word "trustworthy". Authentication
> does not estabilish trustworthiness. That is a delusion.
Agreed. I think Section 2.3 makes a lot of sense, though.
Thanks,
Ludo'.
Ludovic Courtès
Toby Murray <toby....@comlab.ox.ac.uk>
writes:
> Consider a password in the context of a particular user account.
>
> The password is an "authenticator". It proves that whoever submits the
> password is "authentic", i.e. is the user that the account belongs to.
> [*]
>
> However, the authenticator must be authenticated -- the given password
> must be checked against the stored password (or a salted one-way
> transformation of it etc.) for the user account.
>
> So authenticating an autheticator may not be as bogus as it sounds at first.
That's true. But similarly to the passport example, it's just a special
case.
> In the context of your [0] (Jonathan Rees' "A security kernel based on
> the lambda calculus"), the author himself has says
>
> "I think I used the term "authentication" incorrectly in this paper."
>
> (see http://mumble.net/~jar/pubs/secureos/).
Hmm, I don't know what made him say so.
Thanks,
Ludo'.
Matej Kosik
> Hi,
>
> Matej Kosik <ko...@fiit.stuba.sk> writes:
>
>> Ludovic Courtès wrote:
>
> [...]
>
>>> Looking at the definitions of `authenticate' and `authentication' makes
>>> me wonder about the meaning of this API in English (from WordNet):
>>>
>>> 1. (1) authenticate -- (establish the authenticity of something)
>> This makes sense.
>
> The definitions are from WordNet (these are English definitions, not
> taking into account CS usage, should it be different), so they surely
> make sense. ;-)
>
>>> So this method literally "establishes the authenticity of a mark that
>>> validates the authenticity of something"?
>> This sentence makes no sense to me.
>
> I was playing devil's advocate by translating literally the method
> signature using the above definitions.
>
>> Already the first sentence:
>>
>> "Broadly speaking, authentication is any procedure or test that
>> determines whether an object is trustworthy or genuine."
>>
>> is disputable. I would delete the word "trustworthy". Authentication
>> does not estabilish trustworthiness. That is a delusion.
>
> Agreed. I think Section 2.3 makes a lot of sense, though.
I am somewhat worried by the claim that "Authentication is an important
capability of secure computer systems.".
I would change "is an important capability" to "is useful in specific
cases".
Next sentence is
"A request received from an untrusted source such as a public
communications network must be authenticated as originating from an
agent that has the right to perform the action specified by the request."
This is not my viewpoint.
Next sentence:
"In a dynamically typed programming language such as Lisp or Snobol, a
value must be authenticated as being of the correct type for an operator
receiving it as an operand."
This is an abuse of the term "authentication".
Next sentence:
"The solution to the safe invocation example of Section 2.2 involves a
test for the authenticity of a putatively safe or trustworthy object
(Bart's program)."
Is authentication essential for safe program invocation? I do not think
so. Authentication can be done reliably but it is a self-deception to
assume that it somehow miraculously leads to safe invocation. Which in
W7 may be achieved, but the above sentence is not comprehensible to me.
Ludovic Courtès
> I am somewhat worried by the claim that "Authentication is an important
> capability of secure computer systems.".
I'm under the impression that you're judging the paper based on a few
sentences quoted out of context.
Read as a whole, I think it's a refreshing view on capabilities and
"computer security". Perhaps there are inaccuracies, as you suggest,
but these are probably minor (AFAICT) and don't make it less
interesting.
Thanks,
Ludo'.
Karp, Alan H
I have now started to use the phrase "subject authentication" to mean verifying that the subject has some property, such as identity, role, or attributes. That's avoided the confusion, at least so far.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
Matej Kosik
> The various uses of the word "authenticate" led to a serious disconnect in an ongoing discussion we've been having with DISA, the IT organization for the US Department of Defense. I didn't really understand what the confusion was all about until a discussion with Lorrie Cranor at our SOUPS poster presentation. She kept talking about using authentication to make an access decision, and we kept asking who she was authenticating. After a couple of rounds of that, I realized that she was saying you must authenticate the authorization to make sure it is legitimate. (We use the word "validate" to avoid just that point of confusion.)
>
> I have now started to use the phrase "subject authentication" to mean verifying that the subject has some property, such as identity, role, or attributes. That's avoided the confusion, at least so far.
Those who have time, please review this definition:
http://wiki.erights.org/wiki/Authentication
Ludovic Courtès
> Those who have time, please review this definition:
> http://wiki.erights.org/wiki/Authentication
IMO it's better to stick to the letter to the dictionary definition as
it's widely accepted, avoids confusion, and provides an opportunity to
think about the concept in general terms.
As an example, I really like how Ellison analyzes "identity",
"certificates", etc. in
http://www.usenix.org/publications/library/proceedings/sec96/ellison.html .
Thanks,
Ludo'.
Matej Kosik
Ludovic Courtès wrote:
> Matej Kosik <ko...@fiit.stuba.sk> writes:
>
>> Those who have time, please review this definition:
>> http://wiki.erights.org/wiki/Authentication
>
> IMO it's better to stick to the letter to the dictionary definition as
> it's widely accepted, avoids confusion, and provides an opportunity to
> think about the concept in general terms.
Please paste here the definition you think better captures how
_capability community_ interpretes this concept. If there are ways how
the definition can be improved, let's do it.
--
Matej
David-Sarah Hopwood
> Ludovic Courtès wrote:
>> Matej Kosik <ko...@fiit.stuba.sk> writes:
>>
>>> Those who have time, please review this definition:
>>> http://wiki.erights.org/wiki/Authentication
>>
>> IMO it's better to stick to the letter to the dictionary definition as
>> it's widely accepted, avoids confusion, and provides an opportunity to
>> think about the concept in general terms.
>
> Please paste here the definition you think better captures how
Given one end of a communication channel, establish which principal
is probably at the other end.
(Note: this definition is more general than it may at first appear; it
does cover local authentication.)
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
Matej Kosik
> Matej Kosik wrote:
>> Ludovic Courtès wrote:
>>> Matej Kosik <ko...@fiit.stuba.sk> writes:
>>>
>>>> Those who have time, please review this definition:
>>>> http://wiki.erights.org/wiki/Authentication
>>> IMO it's better to stick to the letter to the dictionary definition as
>>> it's widely accepted, avoids confusion, and provides an opportunity to
>>> think about the concept in general terms.
>> Please paste here the definition you think better captures how
>> _capability community_ interprets this concept.
>
> Given one end of a communication channel, establish which principal
> is probably at the other end.
>
> (Note: this definition is more general than it may at first appear; it
> does cover local authentication.)
>
Ok. I have updated the definition.
http://wiki.erights.org/wiki/Authentication
From now on, my wallet contains one end of communication channel leading
to the central bank. :)
--
Matej Kosik