Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Dec 2017 07:16:12 +0100
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: Authentication vs identification

>>> But consider:
>>> The standard definitions that so many of us have given you
>>
>> have had led us into the mess where non-secret identifiers are commonly used as auth tokens, where the entire credit card system is thoroughly useless, and still is being used.
> 
> It is a terrible problem that so many institutions are using knowledge of non-secret identifiers as “proof” of authenticity, but I don’t see how this is a problem with definitions that we’ve all quoted at you.

i do not have an issue with your views on auth and ID,
(besides them being a little prolix for my taste)
i want to EMPHASIZE the characteristic difference between the two in 
question. because some of this list's subscribers had claimed (a while 
ago) that there is no difference between auth and ID whatsoever.



> Indeed, your definition would, to the extent that these matter to what people do in practice, further encourage the bad behavior. If you require someone to give you their birthdate, then that becomes authentication by your definition.

no it doesn't.
i did not say "an actor demands anything"
i said the procedure itself REQUIRES (includes with necessity)...
which means without the feature in question the procedure loses its essence.

clear?

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ