Comments: 40 years on, packets still echo on, and we're still dropping the auth-shuns

There are two issues which you are trying to address with authentication the "who" and the "what".

I agree that the "who" is an open problem that I don't think will ever be fully addressed, due to "contexts within society" which will always be dynamic (roles change etc).

The "what" is a technical issue which can be solved relatively easily, and I'm always amazed that it has not been, except on a case by case basis.

I suspect the reason is that system architects are making the mistake of thinking they are either the same problem or directly related to each other and thus are "close coupled" in their designs.

The answer is they are not and thus need a coupling mechanism or "interface".

To use a mechanical analogy it is the difference between a two part rivet and a nut and bolt. They both achieve the same purpose (fixing two things together) but in very different ways.

The difference between the nut and bolt and the two part rivet is the "screw thread" (interface) it is what makes a significant functional difference giving the nut and bolt many many advantages over the rivet.

However there was a problem with screw threads which was every engineer had his own, and they where all different and "hand made". This made engineering very very expensive, so much so that sometimes you had a specific nut to a specific bolt.

A Victorian gentleman by the name of Whitworth realised that this was a significant problem and he came out with a "standard" set of threads.

The result, we no longer even think about nut's and bolts we just select the ones that will do the job and "buy them in" from where ever.

And this is really the issue that needs addressing. There needs to be a "standard" by which the various "who" and "what" systems can be joined together, without problem.

However to avoid there being "many standards" (giving rise to the toothbrush issue) there should be a flexible framework into which various additions can be added. And importantly meet the expanding individual system needs.

One of my "bug bears" about NIST is it concentrates on the "how" not the "why" of doing things. It appears to be an American "mindset" issue, in Europe the standards bodies tend to concentrate on the "why" not the "how" with flexible frameworks where many different types of "how" (which might have their own sub-standards) can be used interchangeably.

Posted by Regards, Clive at September 12, 2009 10:04 AM

On the WHO: yes, it is not solvable in tech.
On confusing WHO with WHAT: yes, happens all the time.
On substituting WHO for WHAT: I think this is an inevitable result of the confusion. And results in some pretty ropey situations. Far too frequently systems are built on the basis that we know WHO when we really want to know WHAT.

On the WHAT as standardised nuts & bolts: on this I disagree. To restate, the reason we've only ever solved it in case-by-case bases (e.g, financial instruments) is because the problem is very hard. And it only gets solved when the application gels. Not a good fit for standardisation. For e.g., financial instruments (click below) I propose a very strong very elegant solution; but it doesn't lend itself to anything other than contracts.

We all know what standardisation means. It works spectacularly well in nuts & bolts and protocols and seatbelts and so forth. That doesn't mean it applies to every problem. There are some areas of life that just don't get standardised so well: love, politics, competition, crime, internet arguments, war, ... and *security*.

Posted by Iang (on solving the case of financial instruments) at September 12, 2009 01:21 PM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x55da5ddcb1b8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.