Re: identification, authorisation, authentication

Agree on all this Nathan.

On 31 Oct 2012, at 02:40, Nathan <nathan@webr3.org> wrote:

> 
> This may seem like first year stuff, but it may be useful to mention.
> 
> Identification != Authentication != Authorisation .
> 
> Generally we can say that Authentication provides us with an identifier for the authenticated agent, and Authorisation is then done using the authenticated identifier.
> 
> API wise, this means we have:
> 
> Interface Authentication {
>  agent-identifier authenticate(*);
> }
> 
> Interface Authorisation {
>  boolean authorise(agent-identifier vai, request r, *);
> }

I would just add the following point 0.

Step 0 is to find out if you need to authenticate the agent at all. Indeed if a resource is
public then there is no need to authenticate the agent. So in fact there is has to be an initial check in the Authorization interface for a particular request.

> 
> Step one is to authenticate the requesting agent and establish an agent-identifier for them.
> 
> Step two is to see if the established agent-identifier is authorised to do what they've requested.
> 
> WebID-Protocol implements the Authentication interface, and returns a specific kind of agent-identifier, namely a WebID.
> 
> WebAccessControl implements the Authorisation interface.
> 
> When working on the web, it makes sense that an agent-identifier be a URI (of which WebIDs are a subset).
> 
> This decoupling means that WebAccessControl doesn't require a WebID, rather it just requires a URI identifying an agent.
> 
> I'm only mentioning this because sometimes when you look at things closely for a long time the simple stuff gets all mixed up. Or perhaps more accurately, writing the above clears things up in my own head and allows me to both share it and sanity check it with the group :)
> 
> Best, Nathan
> 

Social Web Architect
http://bblfish.net/