« OWASP Podcast Interview | Main | AuthZ is a known known, AuthN is a known unknown »

Comments

Andy Steingruebl

Fundamentally though underneath some of this, is an authentication problem, right? Sure there is other authorizing data coming along for the ride, but underneath it all is the ability to make assertions than can be validated. At its core this involves some sort of authentication, if not of users, then of services, applications, etc.

Or am I missing some nuance here?

Iang (40 years on, packets still echo on, and we're still dropping the auth-shuns)

Although I agree with the central criticisms, I'm not sure I agree with a conclusion that "tech XYZ has got it."

Fundamentally, auth in all its forms is making some sort of claim available to humans. "assertations for validation" as Andy says. But, just because we've found the words doesn't mean we can build it.

Auth involves assertations or claims that are so diverse as to be difficult to create into a concrete single technology. Consequently, great schemes tend to be built into the application as custom methods; that's because only at that top, application layer does enough meaning from the user's mind crystalise enough to be coded up. Efficiently.

So I think there will never be "a standard method of authentication." Nor even many. Call me radical :)

The comments to this entry are closed.