RE: "Onion model" explained

>From:	Hal Lockhart [mailto:hal.lockhart@entegrity.com]
[snip]
>1. I still maintain that Authentiation is never an end in itself,
>   it is a step that collects data to be used in some other
>   decision. Pete Wenzel said it best:

Hal,

Believe such as you wish; I have no desire spending
time changing your mind. :-)

The point I made, as I recall, was to show the fallacy
of "authN by itself was *never* enough" [Assertion A].
That was IMV an extraordinary claim.
Never mind it makes an interesting app or not.
Interesting apps don't prove technicalities one way or another.
Yet I do have interesting stuff in store for you.

Now, "an extraordinary claim calls for extraordinary proof."
In this case, tens of paragraphs would only amount to waste
if you can't prove the heartbeat app, which showed Assertion
A was false, to be false (as an authN-alone app).

As a rule I no longer do app tutorials in public, for
reasons I don't care to mention here.  As an exception,
here's one heartbeat app with a negative trigger.
Every N seconds Alice sends an "I'm-alive" signal to Bob.
By sharing a common secret, only Bob knows how to 
authenticate the signals from Alice.  Bob will invoke
Proc A if M heartbeats from Alice are missed.
See?  No authZ whatsoever, not even Integrity or
Encryption (as in the cases of H-MAC or dsig),
was involved, other than authN.  Wanna make
the app interesting?  Try come up with an
oscillating function F, such that, by
"salting" F parametrically with S, an infinite
series of integers can be predictably generated.
Hint: S is the shared secret.

Cheers,

Joe Hui
Exodus, a Cable & Wireless service

Received on Monday, 22 July 2002 23:03:04 UTC