On Tue, Dec 24, 2002 at 10:03:45AM -0500, Alan DeKok wrote:
> "Scott Bartlett" <[EMAIL PROTECTED]> wrote:
> > Indeed, to pick a definition out of the air,
> > http://www.ietf.org/internet-drafts/draft-ietf-aaa-transport-10.txt
> > defines these words thus:
> >
> > Authentication
> > The act of verifying a claimed identity, in the form of a pre-
> > existing label from a mutually known name space, as the
> > originator of a message (message authentication) or as the
> > end-point of a channel (entity authentication).
> >
> > Authorization
> > The act of determining if a particular right, such as access
> > to some resource, can be granted to the presenter of a
> > particular credential.
>
> Agreed 100%.
>
> Question: How do you determine how the server authenticates someone?
> Answer : You check which authentication method they are authorized
> to use.
That's not authorization, that's selection of an authentication source.
It could be construed as "authorization" in some larger sense of the
word, but in the security community, and specifically wrt "AAA", this
is NOT authorization[1].
That is, Alan, you are correct, it is in some sense authorization, but
not in the sense that AAA uses it. In your example, the principal has not
yet presented a credential. In the AAA model, it is in the authentication
step where a credential is obtained for SUBSEQUENT authorization. You
cannot authorize an unverified identity (in the AAA model).
> I think I'm going to write some long text in 'doc/aaa.txt', telling
> people that all of their analogies and ad-hoc models are wrong. The
> server is designed the way it is because it works. Not because it's
> perfect, as there's always room for improvements. But it works.
FR's use of the term authorization is the one that's ad-hoc. AAA is
not a generic term for some generic meanings of each "A", it is a
specific definition. The RADIUS protocol doesn't present an explicit
authorization, that is, it doesn't follow the AAA model very well.
This is a large source of confusion which FR's configs and docs aggravate.
Again, it's not that you are wrong about "authorization", it's that FR
does not conform to the specific definition of authorization in the AAA
model.
How about 'auth_selection' to replace 'authorization'? Now that the
issue has been raised, FR really should update it's terminology to be
consistent with standards.
/fc
[1] Not explicitly, anyway. It *is* an *implicit* form of authorization,
but that's something different and not congruent with AAA.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
