Re: "Onion model" explained from Pete Wenzel on 2002-07-23 (www-ws-arch@w3.org from July 2002)

From: Pete Wenzel <pete@seebeyond.com>
Date: Tue, 23 Jul 2002 15:42:10 -0700
To: Joseph Hui <Joseph.Hui@exodus.net>
Cc: Hal Lockhart <hal.lockhart@entegrity.com>, www-ws-arch@w3.org
Message-ID: <20020723154210.A24590@seebeyond.com>
Thus spoke Joseph Hui (Joseph.Hui@exodus.net) on Tue, Jul 23, 2002 at 01:33:18PM -0700:
> What Pete said amounted to like saying axiomatically that
> if you hear a person speak and recognize whose voice it is,
> then it can be inferred that the person is authorized to
> speak to you. 

I didn't state it as an axiom, just an example of the simplest authZ
policy possible that still depends on authN.  If my only requirement
is to ignore people whose identities I can't ascertain, then I don't
need a higher resolution authZ policy than that.

Your heartbeat example likely isn't even this simple.  If Bob receives
a signal from Carol, even though he can authenticate it as being from
her, his authZ policy probably says that only Alice can reset the
"Proc A" counter.  (Maybe Carol's signal will cause a "Proc C" counter
to be reset instead.)

> Note the keyword "often" in the glossary definition.
> The arguments you and Pete made was to make it "always."

I am fine with the definition as-is, because of course one is free to
ignore an authentication result and not use it for any immediate or
future purpose.  But as I have already said, this is a degenerate
case, of no practical value, in which authN was therefore not needed
in the first place; so we could just as well not waste resources
performing it.  "Sometimes, authN by itself is even too much."

--Pete

> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Tuesday, July 23, 2002 11:52 AM
> To: 'Pete Wenzel'; Joseph Hui
> Cc: www-ws-arch@w3.org
> Subject: RE: "Onion model" explained
> 
> 
> 
> I agree with Pete. In my mind you have an AuthZ policy with two distinct
> steps, something like this: 
> 
> 1. If (authentication of suitable type does not suceed) ignore message 
> 
> 2. Update the info associated with the party sending the request. 
> 
> Since you made an implemention choice to do this in program code, you
> choose to view these steps as part of the application. However, they
> could have just as well been done using an authorization policy
> infrastructure, in which case it would be obvious that this constituted
> authorization.
> 
> The WSA glossary defines Authentication as: 
> 
> To positively verify the identity of a user, device, or other entity in
> a computer system, often as a prerequisite to allowing access to
> resources in a system
> 
> The SAML definition is similar: 
> 
> To confirm a system entity's asserted principal identity with a 
> specified, or understood, level of confidence. 
> 
> Neither says anything about MAKING USE of the identity. I claim that as
> soon as you do so, you are doing Authorization or generating Audit trail
> or something else.
> 
> Hal 
> 
> > -----Original Message----- 
> > From: Pete Wenzel [ mailto:pete@seebeyond.com
> <mailto:pete@seebeyond.com> ] 
> > Sent: Tuesday, July 23, 2002 2:11 PM 
> > To: Joseph Hui 
> > Cc: Hal Lockhart; www-ws-arch@w3.org 
> > Subject: Re: "Onion model" explained 
> > 
> > 
> > Thus spoke Joseph Hui (Joseph.Hui@exodus.net) on Mon, Jul 22, 
> > 2002 at 08:03:51PM -0700: 
> > > >From:      Hal Lockhart [ mailto:hal.lockhart@entegrity.com
> <mailto:hal.lockhart@entegrity.com> ] 
> > > [snip] 
> > > >1. I still maintain that Authentiation is never an end in itself, 
> > > >   it is a step that collects data to be used in some other 
> > > >   decision. 
> > > ... 
> > > The point I made, as I recall, was to show the fallacy 
> > > of "authN by itself was *never* enough" [Assertion A]. 
> > > ... 
> > > here's one heartbeat app with a negative trigger. 
> > > Every N seconds Alice sends an "I'm-alive" signal to Bob. 
> > > By sharing a common secret, only Bob knows how to 
> > > authenticate the signals from Alice.  Bob will invoke 
> > > Proc A if M heartbeats from Alice are missed. 
> > > See?  No authZ whatsoever, 
> > 
> > But authentication of Alice's signal has a side-effect:  it causes 
> > Bob to reset his watchdog timer-counter.  Signals that cannot be 
> > authenticated as coming from Alice should not result in the reset 
> > behavior.  In other words, we can say that Alice is authorized to 
> > reset Bob's counter (or, equivalently, that Alice is authorized to 
> > prevent Bob's execution of Proc A). 
> > 
> > > not even Integrity or 
> > > Encryption (as in the cases of H-MAC or dsig), 
> > > was involved.... 
> > 
> > Yes, these have independent uses; clearly sometimes AuthN+AuthZ is 
> > enough.  However, the heartbeat example doesn't demonstrate that AuthN
> 
> > is enough by itself, because there is more taking place than just 
> > AuthN. 
> > 
> > --Pete 
> > Pete Wenzel <pete@seebeyond.com> 
> > SeeBeyond 
> > Standards & Product Strategy 
> > +1-626-471-6311 (US-Pacific)
Received on Tuesday, 23 July 2002 18:42:42 UTC