There's a big Gov 2.0 summit going on, which I am not at but in the event apparently John Markoff asked VInt Cerf ths following question: "what would you have designed differently in building the Internet?" Cerf had one asnwer: "more authentication"
I would like to suggest that the problem is not lack of authentication, there are lots of ways to authenticate, all of them flawed (some more than others granted), but I don't see how this could have been designed and built way back then and still resilient today. Look how often authentication changes. In any case, I have said before authentication is a mystery or a guess, and mysteries and guesses have no place in adding ambiguity and uncertainties to other specs.
What could have been done better in my view is identity and authorization. This is a much more concrete problem and a simple reference monitor for making access control decisions about authorization would have gone a long way, especially when combined with identity standards to convey identity claims in an interoperable way.
The gray box "resources" aka URI have been standardized, the blue parts identity tokens and access control containers can be standardized. There are a finite number of decisions that an access control container needs to make, their workflow and token schemas that support them can and should be standardized. In fact you can look at XACML and SAML as an existing standard that does this However, authentication is quite tricky for many reasons and something that seems to be best left to evolve on its own. But having a way for authN to plug into a standard back end that supports consistent identity tokens and access control decisions would solve a lot of the problems we see today.
Authentication has a long way to go before its a solved problem, authorization has been solved for 30 years.
P.S. On a related note from the same conference
Fundamentally though underneath some of this, is an authentication problem, right? Sure there is other authorizing data coming along for the ride, but underneath it all is the ability to make assertions than can be validated. At its core this involves some sort of authentication, if not of users, then of services, applications, etc.
Or am I missing some nuance here?
Posted by: Andy Steingruebl | September 09, 2009 at 01:08 PM
Although I agree with the central criticisms, I'm not sure I agree with a conclusion that "tech XYZ has got it."
Fundamentally, auth in all its forms is making some sort of claim available to humans. "assertations for validation" as Andy says. But, just because we've found the words doesn't mean we can build it.
Auth involves assertations or claims that are so diverse as to be difficult to create into a concrete single technology. Consequently, great schemes tend to be built into the application as custom methods; that's because only at that top, application layer does enough meaning from the user's mind crystalise enough to be coded up. Efficiently.
So I think there will never be "a standard method of authentication." Nor even many. Call me radical :)
Posted by: Iang (40 years on, packets still echo on, and we're still dropping the auth-shuns) | September 11, 2009 at 01:03 PM