--On Monday, 09 December, 2002 16:17 -0600 Stephen Sprunk
<ssprunk@cisco.com> wrote:
> Thus spake <Valdis.Kletnieks@vt.edu>
>> Authentication: Yes, you seem to be Jeffrey Dahlmer.
>> Authorization: You say you'd like to borrow a steak knife?
>>
>> Usually clears up the confusion in all but the most sluggish
>> mind.. ;)
>
> That's a very clear example, thanks.
>
>> However, "authorization" usually implies "authentication"
>> beforehand. Does anybody have a reference on an
>> authorization scheme that doesn't imply any authentication?
>
> In a sense: the IETF lists (and most others) use a null
> authentication method, i.e. you trust whatever is in the
> message. After that (null) step, we apply weak authorization,
> i.e. whether the sender is on the approved list.
Actually, it is a very common situation:
Think about almost any case in which possession of a token
authorizes one to do something, but no identification/
authentication is implied. For what is perhaps one of the older
examples, can you go to a store where you are not known, in some
part of your country where you are not frequently present, and
buy something. Of course you can: you pass an authorization
token, typically called "cash" across the counter and get some
merchandise in return. The quantity of tokens you possess and
their value even determines the extent of your authorization.
Credit card companies often draw an analogy to that situation,
which is one of the reasons they have stayed far out of the
_public_ part of the PKI business: they don't really care who
you are, or who uses the credit card, as long as the bill gets
paid. Anything they do or require that involves authentication
has to do with the "the bill will get paid without protest"
property, not your identity.
john