When you go shopping what do you need in order to be authorized to purchase something?

If you visit an off-license to purchase alcohol what do you need in order to be authorized to purchase a bottle of your favourite whisky?

In either of the two examples above, is there a requirement for identification? 

The objective of this thread is to define what is meant by identification, authentication and authorization. I expect some lively and controversial discussions and look forward to seeing diverse opinions and ideas.

This is the second of two threads in the Identity and Privacy forum in the ISM community. Welcome!

Identification is a claim as to who you are

Authenticaiton is proving it

The clerk behind the desk following a set of predefined rules. Business rules may be determined by laws or regulations. Systems may then enforce those business rules.

if there are no business rules or regulations..........

Then by definition I am authorized...it's called freedom ;-)

Freedom is also what you feel after drinking half a bottle of French wine and good cheeses mid-week :o)

mcurphey:

Identification is a claim as to who you are

I think of it as a little more than that. I mean...

Identification could be thought more of a process by which someone (or something) describes all or part itself to another person or thing. 

"Hey, hey, hey, I'm your brother."

Authentication then would be someone or something deciding if it is true or not.

"Yeah, you're my annoying little brother, great." 

Authorization of course would be what that person or thing would be allowed to do or have.

"I don't care that your my brother, you still don't getting my cookie!"

In short, to build on what you said mcurphey, identification is the process by which you prove who you are and authentication is if someone believes you or not.

I have to pick a few small things with your last statement.

ebreece:

In short, to build on what you said mcurphey, identification is the process by which you prove who you are and authentication is if someone believes you or not.

• Identification (ident) is the act of claiming who you are
• Authentication (authn) is the act of proving it
• Authorization (authz) is a process of allowing someone or something to do something based on the previous two

Of course most authorizaton decisions need to be based of of authn but some like showing me my local weather in MSN are fine based off of ident

mcurphey:

• Identification (ident) is the act of claiming who you are
• Authentication (authn) is the act of proving it
• Authorization (authz) is a process of allowing someone or something to do something based on the previous two

So are you saying that you need to be identified and authenticated in order to be authorized? 

If you have neither you have no idea who you are authoring......been building auth systems in software for years ;-) I have spent many hours on this stuff..check out SecureUML as a modelling language for this type of stuff.

mcurphey:

Identification (ident) is the act of claiming who you are

Authentication (authn) is the act of proving it

Maybe we're saying the same thing, but I think of it as:

• Ident = the proof (i.e., the act of proving it)
  
• Authn = the trust (i.e., the act of trusting that proof)
  

Like I said, maybe we're saying the same thing conceptually, but the words we choose are different.

Also, yes, you should have both in order to have Authorization.  I say should, because people are people and they'll trust their word as proof of whom they are (i.e., implicitly trust them).

If we forget about systems and get back to basics.
In my world, what authorizes me to purchase a packet of coffee when I walk into a supermarket with cash in my pocket, is the cash..... there is no need for identification or authorization authentication, the shop assistant doesn't care who I am.....

But its the same problem. Instead of identifying and authenticating a person you are identifying and authenticating a real note or real coin. Ident, authn and authz go far beyond people IMHO. The auth decision is not using a person as the subject.

I was going to add a line saying 'sleep on it before responding' ;-)

But I will say instead, let us say the currency is sheep :-))