RE: Comments requested on recent appeal to the IESG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: Re: Comments requested on recent appeal to the IESG
Just as a matter of observation, there is not and never has been a security requirement to rigidly separate authentication and authorization. Indeed there is no real world deployment in which authentication and authorization are not conflated to some degree.
 
The separation of authentication and authorization is a matter of administrative and operational convenience.
 
It is very rarely the case that every privilege that might potentially be granted to a user is known in advance. Hence the benefit of maintaining a distinction. But in practice the fact that a party holds a valid authentication credential is in itself often (but not always) sufficient to make an authorization decision in low-risk situations.
 
Thus an objection based on the mere risk that such a conflation may occur is not justified as such conflation has occured in every practical security system ever.
 
We do not issue employee authentication badges to non-employees. Thus an employee-authentication badge will inevitably carry de-facto authorization for any action that is permitted to every employee (like open the office door).
 
The Authorization/Authentication model is in fact broken, in a modern system such as SAML you actually have three classes of data with the introduction of attributes.

 
From: ietf-bounces@xxxxxxxx on behalf of Scott Kitterman
Sent: Thu 2/19/2009 9:32 PM
To: ietf@xxxxxxxx
Subject: Re: Comments requested on recent appeal to the IESG

On Thu, 19 Feb 2009 18:04:31 -0800 Dave CROCKER <dhc2@xxxxxxxxxxxx> wrote:
>This appeal lacks merit on basic points.
>
+1.  I don't think I could have said it better myself. 

I was involved in the MARID and DKIM working groups and was involved in the
group that helped put together this draft.  All these points have been made
before and got not traction in these various venues.

Scott K
Scott K


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]