Dave Nelson [mailto://d.b.nel...@comcast.net] writes:
> Alan DeKok writes... > > > > A server can tell me that I'm not authorized without > > > knowing who I am? > > > > Yes. A policy could state that all logins between 5pm > > and 9am are to be rejected. In that case, it can reject > > you without knowing (or caring) who you are. This process > > can't be "authorization", because it can happen *before* > > authentication. > > I hate to jump into the heated debates over terminology, but I have to > support Glen in this case. Alan, I'm sorry, you're simply mistaken > about > this. > > Authentication is "proof of identity", i.e., it's about who you are. > Authorization is about "access control policy", i.e., what you may do. > In > the example that you cite above, the action is clearly authorization. > The > server is enforcing the "access control policy" that the "wildcard" > user is > prohibited from logging in during the hours of 5 PM and 9 AM. This > authorization action *was* preceded by an implicit authentication > action. > It's just that the "wildcard" user, i.e., anyone on the planet, can > easily > be authenticated without the exchange of credentials. I don't actually think that we need to invent a NULL authentication type here: there is no authentication nor any authorization in this case, there is just a fixed policy. There are lots of policies that are unrelated to both authentication and authorization, including policies controlling network access. For example, it might be a corporation's policy not to put Ethernet ports in conference rooms, so unless your laptop have a wireless interface, no network access. This policy has nothing to do with either authentication or authorization, only with having the right equipment (not unlike NEA). _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
