W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 1996

Re: Authentication, security requirements

From: Alan Freier <freier@netscape.com>
Date: Thu, 26 Sep 1996 10:14:42 -0700
Message-ID: <324ABA02.345B@netscape.com>
To: Jim Whitehead <ejw@ics.uci.edu>
CC: w3c-dist-auth@w3.org
Along with authentication, authorization and privacy, one might want to
include non-repudiation as a requirement for authoring.

Non-repudiation would be a handy capability for any type of collabortive
efforts or submission/modification of sensitive data. It needs to be
tied closely with strong authentication.

To the best of my knowledge (which is always suspect) there is no one
dealing with this issue in a commercial product today. If there is some
work going on out there, perhaps we could look at it for input.

And then ....

On the subject of idempotency.

I'm concerned that people are compromising the definition of idempotency
to fit what they think can be easily implemented. My understanding of
the term is that an idempotent operation can be repeated any number of
times and the result is the same.

A common example of an idempotent operation is a directory lookup. Even
with this apparently safe example, it's clear that the operation is not
idempotent over all space and TIME. However, the example is normally

Another example of an idempotent operation is a file (or object or
container or whatever) DELETE. This example gives me some concern. It
seems as though the proof of idemptency is based on the following

	handle = Enumerate(object);
	handle = Enumerate(object);

If the final assigned value of 'handle' is null (implying no such
object). This is the desired state after a 'delete' operation, so all is

Observation would also note that the final value of 'handle' in the
following sequence is also null. Some would argue that this proves the
'delete' operation is therefore idempotent.

	handle = Enumerate(object);
	handle = Enumerate(object);

This is observing the result, but ignoring the cause. What's missing is
the status of completion of the 'delete' operation.

There is and should be an important distinction between a delete that
completes with 'success' verses a delete the completes with a status of
'invalid handle'.

There are two possible reasons for the latter case:

	Another process deleted the object after the 'Enumerate'
	was called. This could be a access violation, and non-
	repudiation (should it be enabled for deletes) would provide
	information regarding who actually deleted the object.


	The protocol does not have "at most once exection" semantics.
	Without such sematics, one will have great difficulty creating
	anything but idempotent protocols. Of course, that's how the
	definition of idempotent got compromised in the first place,
	isn't it?

I believe useful idempotent networking protocols do not exist.
Continuing to believe they do and trying to design processes to take
advantage of idempotency is fruitless. The real goal is to control cache
coherency; can the sending of the object across the network be
suppressed and a more local copy offered instead.

Alan O. Freier		Corporate Cynic
<freier@netscape.com>	(415) 937-3638 (work)
Received on Thursday, 26 September 1996 13:14:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:08 UTC