RE: Definitions: authentication, etc.

[Tim Moses <tim.moses@entrust.com>]

Title: Definitions: authentication, etc.

Krishna - Actually, I intended that credentials verification only confirm that a specific credential apply to a specific Principal.  If the credentials were to include an "authenticator" (e.g. digest of password or public key), then it won't always be necessary to confirm that the subject Principal is live at the other end of an authentic session.  Only when the credentials are bound to the Principal by mere "possession of the token" is it necessary to confirm that you are handing the translated credential to the proper Principal.  Best regards. Tim.

 

P.S.  Perhaps, we should introduce another term: "authenticator", to mean the "means of authentication" that is optionally contained within a credential (digest of password or public key).

-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com]
Sent: Sunday, March 11, 2001 9:52 PM
To: Tim Moses; 'OASIS Security Services group'
Subject: RE: Definitions: authentication, etc.

Comments embedded.

 

cheers

Credential verification - The process of verifying that a specific Principal is the subject of a specific credential.  

<KS>

IMHO, this seems too vague. We know who is the subject of the specific credential, for example by inspecting the DN in a certificate. But can we *associate* that subject with the current principal is the question.

 </KS> 
Authentication - Authentication is identical to credential verification.  (Note: the current Glossary defines "authentication" only in terms of "identity".  The current sentiment in the Assertions group seems to be to downplay the distinction between "name" and any other attribute of a Principal.  Therefore, we need a term that applies only to verifying a credential.  We could redefine "authentication" to serve this role, or use the term "credential verification" instead.  I don't have strong views on this choice). 

<KS>

It wouldn't be a good idea to redefine authentication as it is widely used with verifying the identity. Could we use the work credential validation in this context ?

</KS> 

Credential issuance - The process of creating and making available a credential.
Credential translation - Credential translation is a two step process, involving credential verification and credential issuance.  Both the verified and issued credentials must apply to the same Principal.  But, the attributes in each credential may be different.

<KS>

Does it mean verifying the identify (i.e. authentication) during translation ? If so, this could be impossible as we might not have the challenge mechanism. We could of course, get an assertion from the authenticator to assert the authentication.

</KS>