« Help my brother change his name | Main | Nothing new here »
Security in four simple words
Walking around the RSA show floor today, I was struck by the angry fruit salad of words that different vendors and experts use to talk about security. Of course any professional field develops an insider lingo, but the security industry seems to suffer from inconsistent definitions and obfuscated meanings. For example, the word “trust” has a nuanced and somewhat counterintuitive meaning in security technology circles. That’s fine, but how can we expect mainstream organizations and professionals to get comfortable with significant security changes if we pull the rug out from under them by redefining such foundational words? If I can’t even rely on my innate understanding of “trust”, I’m going to be pretty suspicious of just about everything else.
What is this “ice cream” thing you’re trying to sell, Mr. Softee… if that’s even your real name?
If we’re going to make people comfortable with security, it’s important to demystify the core concepts. I’ve been thinking of how to explain the basic ideas without using any words in non-obvious ways. Here’s my first pass.
Definitions of four core words you have to know about security that don’t pervert their non-professional meaning:
• Identity (noun) – Who you are.
• Privileges (noun) – What you’re allowed to do.
• Credential (noun) – A physical or electronic document that you can use to carry your identity and privileges.
• Validation (verb) – The action of making sure that your identity and privileges are accurate, right now.
The first three things are real or imagined objects. The last, validation, is an action that you have to perform pretty much every time you want to do something. Making validation reliable, fast and cheap is tricky and important. That’s what we do.
February 25, 2004 | Permalink
Comments
There has been work in the crypto community on anonymous (or pseudonymous) credentials. These would show that you are authorized to request some service without revealing your identity. And of course the object-capability guys (like Mark Miller's E language) make this concept the very foundation of their security system: if you hold the capability object, which is like a credential, you get access, without identities entering the picture at all.
Granted that these are minor parts of today's security world (at best) but it's possible that the simple identity-based credentials we've known in the past may eventually become more flexible and varied.
Posted by: Cypherpunk | Feb 25, 2004 8:44:50 PM
I agree completely. It is not always necessary to reveal a person identity to prove their privileges. I'll write about this in more detail soon.
BTW, the handle "cypherpunk" brings back fond memories of the early days of annoying web registration forms. It's good to see the tradition is still around.
Posted by: Phil Libin | Feb 26, 2004 1:17:10 AM
