Reword difference between authn vs. authz. #86
Conversation
msporny
requested review from
BigBlueHat,
David-Chadwick,
TallTed,
brentzundel,
decentralgabe,
dlongley,
iherman,
jandrieu,
longpd and
selfissued
| <p class="note" title="Authentication versus Authorization"> | ||
| Note that the definition of [=authentication=] is different from the definition | ||
| of [=authorization=]. Generally speaking, [=authentication=] answers the | ||
| question of "Who is this?" while [=authorization=] answers the question of "Are |
There was a problem hiding this comment.
| question of "Who is this?" while [=authorization=] answers the question of "Are | |
| question of "Who is this?" while [=authorization=] answers the question of "What |
There was a problem hiding this comment.
| question of "Who is this?" while [=authorization=] answers the question of "Are | |
| question of "Is this identity valid?" while [=authorization=] answers the question of "Are |
| Note that the definition of [=authentication=] is different from the definition | ||
| of [=authorization=]. Generally speaking, [=authentication=] answers the | ||
| question of "Who is this?" while [=authorization=] answers the question of "Are | ||
| they allowed to perform this action?". The `authentication` property in this |
There was a problem hiding this comment.
| they allowed to perform this action?". The `authentication` property in this | |
| actions are they allowed to perform?". The `authentication` property in this |
There was a problem hiding this comment.
I like the previous wording better, but would be OK with either.
There was a problem hiding this comment.
I prefer the existing wording as well because I think this suggestion fundamentally changes the question to be about getting a list of someone's authorized actions vs. asking if they are authorized for the specific action at hand. These aren't actually the same thing and if asking the former, the latter would just have to then be asked do the actual authorization check -- so, I think the existing wording captures this directness better.
| Note that the definition of [=authentication=] is different from the definition | ||
| of [=authorization=]. Generally speaking, [=authentication=] answers the | ||
| question of "Who is this?" while [=authorization=] answers the question of "Are | ||
| they allowed to perform this action?". The `authentication` property in this |
There was a problem hiding this comment.
I prefer the existing wording as well because I think this suggestion fundamentally changes the question to be about getting a list of someone's authorized actions vs. asking if they are authorized for the specific action at hand. These aren't actually the same thing and if asking the former, the latter would just have to then be asked do the actual authorization check -- so, I think the existing wording captures this directness better.
| of [=authorization=]. Generally speaking, [=authentication=] answers the | ||
| question of "Who is this?" while [=authorization=] answers the question of "Are | ||
| they allowed to perform this action?". The `authentication` property in this |
There was a problem hiding this comment.
| of [=authorization=]. Generally speaking, [=authentication=] answers the | |
| question of "Who is this?" while [=authorization=] answers the question of "Are | |
| they allowed to perform this action?". The `authentication` property in this | |
| of [=authorization=]. Generally speaking, [=authentication=] answers the | |
| question of "What entity is trying to act?" while [=authorization=] answers the | |
| question of "Are they allowed to perform this action?". The `authentication` | |
| property in this |
There was a problem hiding this comment.
I'm not sure it's better to change "Who is this?" to "What entity is trying to act?" -- as it implies that there is an additional action beyond authentication itself. Maybe we can interpret that in some some vacuously true way, but I don't think we should imply that authenticating involves additional actions. Authentication could just be a response to "Is this you?" -- with no further action implied by the entity that answers.
There was a problem hiding this comment.
@dlongley — Maybe this?
| of [=authorization=]. Generally speaking, [=authentication=] answers the | |
| question of "Who is this?" while [=authorization=] answers the question of "Are | |
| they allowed to perform this action?". The `authentication` property in this | |
| of [=authorization=]. Generally speaking, [=authentication=] answers the | |
| question of "What entity is trying to act?" while [=authorization=] answers the | |
| question of "Are they allowed to perform this action?" Note that the action being | |
| attempted might simply be proving the entity's own identity, i.e., authenticating. | |
| The `authentication` property in this |
There was a problem hiding this comment.
Maybe "What entity am I interacting with?" This removes the requirement that the other entity is the one driving the action (which may not be the case).
There was a problem hiding this comment.
It strikes me that perhaps your suggestion is be driven by an effort to reconcile the language in the two questions together in some way. However, the two questions are not necessarily linked and can be asked independently of one another entirely. One does not necessarily need to know "who" someone is for them to act/be authorized, nor does one necessarily need to be "authorized to act" (nor "acting" at all) in order for them to be authenticated.
msporny
force-pushed
the
msporny-authz-authn
branch
from
700a480 to
e53fb19
Compare
| <p class="note" title="Authentication versus Authorization"> | ||
| Note that the definition of [=authentication=] is different from the definition | ||
| of [=authorization=]. Generally speaking, [=authentication=] answers the | ||
| question of "Who is this?" while [=authorization=] answers the question of "Are |
There was a problem hiding this comment.
| question of "Who is this?" while [=authorization=] answers the question of "Are | |
| question of "Is this identity valid?" while [=authorization=] answers the question of "Are |
|
Who is this? is actually identification, not authentication. Authentication is verifying something. The dictionary definition of authentication is "The process or action of proving or showing something to be true, genuine, or valid." |
|
Editorial, multiple reviews, changes requested and made, no objections, merging. |
6 participants
This PR is an attempt to address issue #55 by rephrasing the "authentication versus authorization" note.
Preview | Diff