Why I think identity blurs into authority

October 14, 2007

In theory we can separate the ideas of identity and authorization, and it is common to present complex computer systems this way. In practice I think that many people blur the two together and attempting to forcefully separate them only leads to confused users and frustrated security people.

I believe that one reason for this is because we rarely think of people alone in the real world; instead we think of them with attached associations. It is not 'Chris Siebenmann, who is authorized to', it is 'Chris Siebenmann who works for the University of Toronto and is thus authorized to'. In turn I think this is because we understand that we need to specify a context for the identity in order for it to name a specific person. If you just say 'John Smith', the question is which John Smith you're talking about, and the answer is established by the context; that context may be implicit, but it's there.

Only on the Internet can we pretend to have identities divorced from context. And it is a pretense, because the context here is that of the identification system itself. (Or to put it in pretentious computer science terms, an identifier only has meaning within a particular namespace.)

Once you think of people with associations, those associations create natural ideas of authorization. In fact we should expect them to, because it is less work for people; they get to pigeonhole people into roles based on their identity associations and then just extend whatever privileges the role is entitled to.

(Or in other words, 'Chris Siebenmann works here, of course he's allowed into the building'. And when security systems depart from this they are perceived as getting in the way and get bypassed.)

Written on 14 October 2007.
« Weekly spam summary on October 13th, 2007
The arrogance of trying to design for long term storage management »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Oct 14 23:07:54 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.