Re: [Emu] EAP and authorization

["Glen Zorn" <glenzorn at comcast.net>]

Dave Nelson [mailto://d.b.nelson at comcast.net] writes:

> Alan DeKok writes...
> 
> > > A server can tell me that I'm not authorized without
> > > knowing who I am?
> >
> >   Yes.  A policy could state that all logins between 5pm
> > and 9am are to be rejected.  In that case, it can reject
> > you without knowing (or caring) who you are.  This process
> > can't be "authorization", because it can happen *before*
> > authentication.
> 
> I hate to jump into the heated debates over terminology, but I have to
> support Glen in this case.  Alan, I'm sorry, you're simply mistaken
> about
> this.
> 
> Authentication is "proof of identity", i.e., it's about who you are.
> Authorization is about "access control policy", i.e., what you may do.
> In
> the example that you cite above, the action is clearly authorization.
> The
> server is enforcing the "access control policy" that the "wildcard"
> user is
> prohibited from logging in during the hours of 5 PM and 9 AM.  This
> authorization action *was* preceded by an implicit authentication
> action.
> It's just that the "wildcard" user, i.e., anyone on the planet, can
> easily
> be authenticated without the exchange of credentials.

I don't actually think that we need to invent a NULL authentication type
here: there is no authentication nor any authorization in this case, there
is just a fixed policy.  There are lots of policies that are unrelated to
both authentication and authorization, including policies controlling
network access.  For example, it might be a corporation's policy not to put
Ethernet ports in conference rooms, so unless your laptop have a wireless
interface, no network access.  This policy has nothing to do with either
authentication or authorization, only with having the right equipment (not
unlike NEA).