Terminology is such a pain. Experts have been telling us that there is a difference between Authentication and Authorization. They make a very good argument about keeping these ideas separate. However, the two always go hand in hand on computer systems because you can't do anything useful just by "authenticating" someone.
Not always. AF has deployed a wireless guest network where users only authenticate--i.e., a valid DoD PKI certificate is required. No separate authorization step is performed; authN implies authZ in this case.
On Dec 29, 2008, at 5:44 PM, Paul Nelson wrote: I think you just proved my point with your illustration. Isn’t the authentication used to authorize access to the wireless net?
Paul,
Yes, I believe I have ........ but it goes further than that....
Authorization is the ultimate deciding factor in getting access to *something*. Authorization leverages Authentication to ensure only the right people are gaining access to the *something*
Authentication is the process by which one proves who they are I could authenticate myself (on a computer) by way of:
• Password (Share Secret) • PKI (X.509 Identity) • Biometric (Finger Print)
Authorization ("Right") to the desired resource(s) can be granted to those successfully proving (by means of the required authentication method) that they are an entity within the allowed individuals/group. Authorized ("Right") Access to the desired resource(s) can also require multiple forms of Authentication.
Yes, they go hand-in-hand, but they truly must remain separate. When folks consider them to be *one*, then you have problems with security. For example, Just because I can successfully Authenticate myself as an Administrator to my machine does not mean that I am automatically authorized to perform every Admin function. I would need to acquire the appropriate "Right" (Authorization) to access that service/object.
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
|