Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 17 Dec 2017 15:24:30 -0600
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: passwords@...ts.openwall.com
Subject: Re: Authentication vs identification

On Dec 17, 2017, at 6:27 AM, e@...tmx.net wrote:

> On 12/17/2017 02:58 AM, Jeffrey Goldberg wrote:
>> On Dec 16, 2017, at 3:30 AM, "e@...tmx.net" <e@...tmx.net> wrote:
>>>> Although authentication typically requires the active participation of the prover, while identification may not, that is not the crucial distinction. It would be a mistake to define the difference in those terms.
>>> 
>>> a counterexample?
>> Every time you tell someone your name or enter your username into a site you are participating in the identification process.
> 
> come on! i meant the opposite counterexample: an auth occurrence that does not require my active participation.

You wanted to define the different between authentication and identification in terms of one party’s participation. My counter-example shows that such a definition will not give us the results that we want.

Look, you can define things anyway you want, but you can’t expect others to use the words that way unless you demonstrate some advantage and insight that your new definition has.

But consider:

The standard definitions that so many of us have given you is based on the purpose of the processes. Identification attempts to achieve X while authentication attempts to achieve Y. Your definition attempts to distinguish based on a side-effect of how those systems tend to work.

It may well be the case that authentication will always require the prover to actively prove that it has access to a secret. Even if that is true, it is a sucky thing to base a useful definition on.

You can define human as “featherless biped”, but that would include plucked chickens and kangaroos. And it would leave you with a definition that misses the core notion.

It’s fine to for you to be pleased with your insight that in (all?) authentication systems the prover must act to prove its authenticity. It may be a deep insight (I doubt it is a new one). But it isn’t close to being the basis for a useful definition. It is particularly not useful because there are definitely SOME identification systems in which the prover also actively participates in their identification.

-j


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3367 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.