- From: Mary Ellen Zurko <zurko@osf.org>
- Date: Wed, 22 Mar 95 9:44:26 EST
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: Me <zurko@osf.org>
It seems that from the start of WWW security, the terms authentication and authorization have been used in ways that obfuscate the difference between them. The DAA proposal carries on that grand tradition, but I'd like to suggest that we get some clarity in the terms, and propagate it. Authentication is the process of proving identity. Authorization is the process of deciding if a request will be honored. Authorization often uses authentication information (proven identity). Authorization also uses other information, such as user attributes, object attributes, contextual information, and, most familiarly, a database associating requests and objects with user identities (or user attributes). That's files like .htaccess. As far as I can see, the item called the "Authorization" header in the DAA proposal just contains authentication information, tightly coupled to the request it's associated with (authentication information that isn't tightly coupled with a request is often not useful). The protocol does authentication, in support of authorization, but does not necessarily determine where authorization happens. For example, a server doing authentication for another can redirect, sending it's stamp of approval on the authentication information in the opaque field, and the target server could do the actual authorization, based on the verified authentication. So, if my plea is compelling, I'd like to see every reference to the word "authorization" in the DAA proposal excised (except for the "Unauthorized" status; that's a given). Also, the example conflates the two by implying that there's a single username and password "for" a document. It should say that that username/password has authorized access to the document. Mez
Received on Wednesday, 22 March 1995 06:53:23 UTC