Re: [Emu] EAP and authorization

To: <emu at ietf.org>
Subject: Re: [Emu] EAP and authorization
From: "Dave Nelson" <d.b.nelson at comcast.net>
Date: Wed, 12 Aug 2009 09:15:04 -0400
Delivered-to: emu at core3.amsl.com
In-reply-to: <4A824F85.6080307 at deployingradius.com>
List-archive: <http://www.ietf.org/mail-archive/web/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update $EMU$" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <012d01ca1763$496a12d0$dc3e3870$ at yegin@yegin.org> <4A819BD1.90802 at deployingradius.com> <008f01ca1aad$137353b0$3a59fb10$ at net><4A81BA2B.1090400 at deployingradius.com><AC6674AB7BC78549BB231821ABF7A9AE8E777157FB at EMBX01-WF.jnpr.net><00c301ca1ac3$8a0af800$9e20e800$ at net><4A81EBBB.7040507 at deployingradius.com><012a01ca1b05$53ffa610$fbfef230$ at net> <4A824F85.6080307 at deployingradius.com>
Thread-index: AcobC/c8C+lRbbVKQBSEz+nOpjUFlgAQYtcg

Alan DeKok writes...

> > A server can tell me that I'm not authorized without
> > knowing who I am?
> 
>   Yes.  A policy could state that all logins between 5pm
> and 9am are to be rejected.  In that case, it can reject
> you without knowing (or caring) who you are.  This process
> can't be "authorization", because it can happen *before* 
> authentication.

I hate to jump into the heated debates over terminology, but I have to
support Glen in this case.  Alan, I'm sorry, you're simply mistaken about
this.

Authentication is "proof of identity", i.e., it's about who you are.
Authorization is about "access control policy", i.e., what you may do.  In
the example that you cite above, the action is clearly authorization.  The
server is enforcing the "access control policy" that the "wildcard" user is
prohibited from logging in during the hours of 5 PM and 9 AM.  This
authorization action *was* preceded by an implicit authentication action.
It's just that the "wildcard" user, i.e., anyone on the planet, can easily
be authenticated without the exchange of credentials.

Follow-Ups:
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok

References:
- [Emu] EAP and authorization
  - From: Alper Yegin
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Stephen Hanna
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok

Prev by Date: Re: [Emu] EAP and authorization
Next by Date: Re: [Emu] EAP and authorization
Previous by thread: Re: [Emu] EAP and authorization
Next by thread: Re: [Emu] EAP and authorization
Index(es):
- Date
- Thread

Re: [Emu] EAP and authorization

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.