the confusion about authentication and authorization

There’s a lot of confusion about authentication and authorization.

At the basic level:

Authentication is about proving your identity, or how  you prove to someone that you are who you say you are.

Authorization is about your entitlements, what you have access, what you are “authorized” to do or act upon.

Authorization should be completely based on authentication first. If I can’t authenticate who you are, then my authorization parameters will be useless.

At a basic level, at a “chic” bar/dance club, if you’re on my guest list, with your name on it, I have to first check your id to verify who you say you are – authentication.. then check my guest list, to see if you’re on the list – authorization.

If you think about how we authenticate people, there’s a whole range of things you authenticate them on.. but it’s mostly about some level of trust.

if you give me your id, and I check your id, there’s some level of trust that the id (credentials) you’re providing is trustworthy.. it’s got a government seal on it and everything. If my bar has been hit a few times for underage drinking, then I’m a little less trustworthy of the id.. so I have an eye for fake ids, or I check it against a “swipe” machine nowadays.. That means, i’m extending my trust holdings, or trustees, or trust circle, whatever you call it, a little further.. my trust circle now includes, my experience, or my government sanctioned “swipe” fandangle.

If you think about it a little further, the extension of my trust circle, again includes identity first, authentication, and authorization.. In the first case, my employer “trusts” my identity and therefore “trusts” me to do the job of authenticating customers to the club. In the second case, my employer, “trusts” the identity of the government “swipe” verifier system.

And on and on it goes..essentially, it comes down to a web of trust, for identities.. and today, in the real world, the whole thing is held up by unverifiable trusts all along the way. any one of them could break down, and your whole setup is fair game. One of the reasons our society has held up to the gaming of this is the fear of mass breakdown of this social infrastructure. That’s why we create laws about identity, ids, passports all of which are tied to physical verfication and characteristics – fingerprints, voiceprints, facial algorithms etc.. and it has held up, upto now.

If you extend that to the the internet space and the digital space, we’ve come up with things like pki (public key infrastructure) came about, and pgp/gpg, mime, ssl, you name it, one building upon the other..A whole bunch of them are just virtual identity infrastructures that fall down when you actually scrutinize them.

So, you see, I mislead you as a reader.. When it comes down to it,

it’s actually about identity and identity.

Once you have a foolproof way to create identity, you have a way to verify or not verify or nullify it (authenticate). Authorization is easy after that.. after all it’s just a guest list.. or a guest list of guest lists or this guest list and that guest list but not that guest list, but also all of that other guest list. Or a specialize type of guest list that might say on tuesdays you’re allowed in if you have moustache, but not if you are wearing sandals, and on wednesdays, which are slow night, everyone is allowed in for free if they’re of a certain age or sex ..

I don’t think we’re completely there yet. We have the right thinking in terms of components, but not quite the right system, yet.

The components are an immutable digest or signature of your identity .. along the lines of fingerprint signatures etc.. and these have to evolve with time to be more accurate and more immutable towards infinity (somewhat like pi .. everyone gets their own pi)

The system is completely wrong, and is prone to break down any time. There’s a multitude of ways one could go about creating his/her identity (component) from a breaking down system (a country in chaos, a person/family with intent to game the system including birth certificates etc) like creating fake but verifiable birth certificates or passports, you name it..

What you need now, with the aid of digital space, is a mutually verifiable, multi-way replicated public digest archive that’s immutable and available across the globe..of the public portion of the identity.

This has privacy connotations, in the face of it, not really .. but that’s something for another post..