Thus spake <Valdis.Kletnieks@vt.edu> > Authentication: Yes, you seem to be Jeffrey Dahlmer. > Authorization: You say you'd like to borrow a steak knife? > > Usually clears up the confusion in all but the most sluggish mind.. ;) That's a very clear example, thanks. > However, "authorization" usually implies "authentication" beforehand. > Does anybody have a reference on an authorization scheme that > doesn't imply any authentication? In a sense: the IETF lists (and most others) use a null authentication method, i.e. you trust whatever is in the message. After that (null) step, we apply weak authorization, i.e. whether the sender is on the approved list. I've seen lots of proposals to improve the former-- hardly difficult -- but none for the latter. Perhaps using precise terminology will help focus efforts in the right area. S