Re: [Fed-Talk] Re: "Authentication" < > "SSO"
Re: [Fed-Talk] Re: "Authentication" < > "SSO"
- Subject: Re: [Fed-Talk] Re: "Authentication" < > "SSO"
- From: "Shawn A. Geddis" <email@hidden>
- Date: Mon, 29 Dec 2008 17:33:46 -0500
On Dec 29, 2008, at 5:05 PM, Timothy J. Miller wrote: Paul Nelson wrote: Terminology is such a pain. Experts have been telling us that there is a difference between Authentication and Authorization. They make a very good argument about keeping these ideas separate. However, the two always go hand in hand on computer systems because you can't do anything useful just by "authenticating" someone. Not always. AF has deployed a wireless guest network where users only authenticate--i.e., a valid DoD PKI certificate is required. No separate authorization step is performed; authN implies authZ in this case.
Let's think about this Tim. Just because I can *Authenticate* myself does not mean I am allowed (Authorized ) on the AF Wireless Network. Your brief description of the environment would imply that the AF has *authorized * access by anyone with a verifiable DoD issued X.509 Certificate. That is still Authorization. I could Authenticate myself with a Test CAC and not be allowed access to the AF Guest Network, since it is not a Valid DoD X.509 Certificate in the sense that it is a test card with JITC issued Certs for testing only. *Authorization* to access and use the AF Wireless Guest Network is still limited to those authenticating with a Valid DoD X.509 Certificate. We use similar methods with a limited number of DoD websites. Viewers need to be be limited to DoD members, but sometimes we don't care which ones; so we enable PKI client authN and turn off directory mapping (it's an IIS webserver, right? :). Think of this as the PKI equivalent of the *.mil DNS name restriction.
Regardless of which method you deploy, this is still *Authorization*. Just because someone can authenticate who they are does not mean they automatically get access to services.
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden