RE: D-AR0062.2: Authentication for data from Bick, Bob (LNG) on 2002-05-03 (www-ws-arch@w3.org from May 2002)

From: Bick, Bob (LNG) <robert.bick@lexisnexis.com>
Date: Fri, 3 May 2002 08:26:38 -0400
To: "'Joseph Hui'" <jhui@digisle.net>, Hugo Haas <hugo@w3.org>, www-ws-arch@w3.org
Message-ID: <68A404048D91DB4E8DB28B90723BB29C018E693D@lnxdayexch07.lexis-nexis.com>

> Computing the hash of a message that incorporates a secret shared by you
and me
> allows me to authenticate that the message has not been altered and it
> came from you.  That's __data authentication__.  HMAC is one way of doing
this.
> Digital Signature is another way; but it requires Public Key Encryption
(PKE),
> thus a bit more expensive.

I'd suggest we use the standard terms "data integrity" and "non-repudiation"
in that case rather than "data authentication". Perhaps this may be more
clear.

Bob

-----Original Message-----
From: Joseph Hui [mailto:jhui@digisle.net]
Sent: Thursday, May 02, 2002 9:12 PM
To: Hugo Haas; www-ws-arch@w3.org
Subject: RE: D-AR0062.2: Authentication for data


Data authentication -- authenticate that the data came from the right
source.
Getting acquainted with HMAC may help further.
                      
E.g. asking you to produce a driver's license authenticates you (by
biometrics)
to me that you're Hugo.  That's __peer (or party, or source)
authentication__.
Computing the hash of a message that incorporates a secret shared by you and
me
allows me to authenticate that the message has not been altered and it
came from you.  That's __data authentication__.  HMAC is one way of doing
this.
Digital Signature is another way; but it requires Public Key Encryption
(PKE),
thus a bit more expensive.

Joe Hui
Exodus, a Cable & Wireless service
==================================================
> -----Original Message-----
> From: Hugo Haas [mailto:hugo@w3.org]
> Sent: Thursday, May 02, 2002 2:02 PM
> To: www-ws-arch@w3.org
> Subject: D-AR0062.2: Authentication for data
> 
> 
> My apologies, I was talking about D-AR0062.2, not D-AR006.2.1.
> 
> * Hugo Haas <hugo@w3.org> [2002-05-02 16:59-0400]
> > D-AR0062.2 reads:
> > 
> >           + D-AR0062.2 The security framework must include 
> Authentication
> >             for data (sent and received by communicating parties).
> > 
> > D-AR0062.1 talks about parties authentication. D-AR0062.5 
> talks about
> > data integrity. It is not clear to me what data authentication is.
> 
> -- 
> Hugo Haas - W3C
> mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - 
> tel:+1-617-452-2092
> 
>

Received on Friday, 3 May 2002 08:28:05 UTC