OK I guess the visualization of paying for a packet of coffee with a sheep was a bit too much for most :-))

I believe that we are in agreement on the definitions of identification and authentication. 

However, I do not agree that in order to be authorized, identification and authentication are necessary. We think it is, because we have all become accustomed to producing ID when we purchase goods or services with our credit card. 

I believe it is really important that we are clear on this point because the implications to our personal privacy are profound. If we think that we have to be identified every time we walk out of our front door, we will never develop systems that respect our right to remain anonymous when we go out to buy that packet of coffee. Why should the off-license have to identify me in order to ascertain that I am over 18 or 21? They only need to have enough information in order to authorize me purchase that whisky; which is that I am over 18 or 21 and I have money in my wallet!

 

klo:

that we have to be identified every time we walk out of our front door

Yes, we may have to identify ourself every time we walk out the door. I mean, I have a drivers license and have to carry it every time I drive, because cop may pull me over to verify that I'm allowed to drive.  However, if I'm a good driver and don't give cause to be pulled over (i.e., my ability to drive identifies me as a legal driver) then the officer assumes I'm a legal driver (i.e., authenticates me) and I don't get pulled over (i.e., the  police authorizes me to continue to drive).

Also, identification may not happen at the time of me driving down the road (e.g., the police may take my license plate number down, call me to court, and prove later who I am so they can determine its authentic and I was authorized to drive).  So, in "real life" the process may not be in order.

We could take this down to such a finite degree that it would become ridiculous. So, I say, let us put some context around what we're really talking about.  We're not really talking personal liberties and a profound impact on personal privacy, we're talking about information security management.

Therefore, in the context of information security management related events, I would say yes, we need both identification (even if it is in a generic form like "guest") and authentication to determine authorization.

On a side note, just so people understand, I do believe there is very close links between privacy and security and very much impact each other, but there are also differences that need to be addressed differently. 

But how cxan you make any authorization decision unless you know who you are authorizing?

How does someone know you are over 18?

This is actually one of the major reasons a lot of software (especially web sites) are broken. The software makes an authz decision but never had anything to base it off of. This lead to cases such as Verizon where anyone could get anyone elses cell phone bill by only presenting ident info (in that case the cell phone number).

I think fundemenetally the issue for debate here then is can you make an authz decision without ident or authn? I say no. You don't klnow who you are authz'ing. Anotehr way of phrasing it maybe yes if you allow anyone the same action but thats implicit authz which is a different case.

I see we are on the same page about implicit authz of the general case (public)....phew ;-)

wow.... I think we are all on the same sheet, it's just that I am coming from another direction.... I guess that's my prerogative as a woman ;-)

The point that I wanted to get across (maybe not that well) is that the off-license does not need to identify or authenticate me. This does not exclude the use of a TTP.

The use of a TTP separates my activities from my identity. The choice to remain anonymous to other actors... e.g. I do not need to identify myself to buy that bottle of whisky. But there needs to be some mechanism in place to prove that I am over 18/21.
 

phew......


 

I guess I am still not sure (this maybe me being slow) how a  token (generic use of the word) from a TTP can be used withour revealing my ID. Surely the person has to be able to show a token and show it was granted to them so isn't it the bootstrap problem? How do I buy a bottle of whiskey in practice without showing my ID then?

 Look at PRIME they are working on this problem.

Very interesting.

For now I think (?) I can draft up those definitions for the ISM Commnity Glossary?

Hi all,

I agree with all definitions, but I have a point of view different on AuthN.

IMHO,  AuthN is a verification process of one or many credentials.   A credential can be a personal identification information (National ID card, passport, your address, your confidential information as birthday, age, etc.), a attribute or characteristic personal (over 18), inclusive could be a "capacity" (i.e. have money or any attribution).

The "capacity" is relative and dynamic. In fact, there are repositories of "capacities" and there are TTP providing services of validation (i think that is correct way) of said "capacities".

See PASSI (Catalonian Initiative for IdM and Capacities) at http://www.projectliberty.org/liberty/resource_center/presentations_webcasts

The X.509 certificates and/or Attributes Certificates are/was a initial initiative of to carry together identity information with attribution/capacity.

Best regards.

 -roger

mcurphey:

Very interesting.

For now I think (?) I can draft up those definitions for the ISM Commnity Glossary?

Schneier Talk at Macalester College - "Counterterrorism in America: Security Theater Against Movie-Plot Threats"

Take a visit, video available for download, very interesting. He talks about the need of identification..... or not... and has some relation to our discussions here.