Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 17 Dec 2017 15:24:30 -0600
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: passwords@...ts.openwall.com
Subject: Re: Authentication vs identification

On Dec 17, 2017, at 6:27 AM, e@...tmx.net wrote:

> On 12/17/2017 02:58 AM, Jeffrey Goldberg wrote:
>> On Dec 16, 2017, at 3:30 AM, "e@...tmx.net" <e@...tmx.net> wrote:
>>>> Although authentication typically requires the active participation of the prover, while identification may not, that is not the crucial distinction. It would be a mistake to define the difference in those terms.
>>> 
>>> a counterexample?
>> Every time you tell someone your name or enter your username into a site you are participating in the identification process.
> 
> come on! i meant the opposite counterexample: an auth occurrence that does not require my active participation.

You wanted to define the different between authentication and identification in terms of one party’s participation. My counter-example shows that such a definition will not give us the results that we want.

Look, you can define things anyway you want, but you can’t expect others to use the words that way unless you demonstrate some advantage and insight that your new definition has.

But consider:

The standard definitions that so many of us have given you is based on the purpose of the processes. Identification attempts to achieve X while authentication attempts to achieve Y. Your definition attempts to distinguish based on a side-effect of how those systems tend to work.

It may well be the case that authentication will always require the prover to actively prove that it has access to a secret. Even if that is true, it is a sucky thing to base a useful definition on.

You can define human as “featherless biped”, but that would include plucked chickens and kangaroos. And it would leave you with a definition that misses the core notion.

It’s fine to for you to be pleased with your insight that in (all?) authentication systems the prover must act to prove its authenticity. It may be a deep insight (I doubt it is a new one). But it isn’t close to being the basis for a useful definition. It is particularly not useful because there are definitely SOME identification systems in which the prover also actively participates in their identification.

-j


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3367 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.