ZARAZA writes:
>
> Dear Vic Abell,
>
> Imagine you're coming to your president's room
>
> Secretary: do you have an appointment?
> Mr. Abell: Yes, my name is Vic Abel
In this new an suspicious age, that wouldn't be the exchange.
It would be:
Secretary: Do you have an appointment?
Mr. Abell: Yes, my name is Vic Abell
Scretary: May I please see some identification?
Mr. Abell: Yes, here is my picture ID card, or my retina scan,
or my X.509 certificate, or my fingerprint, or ...
Now that the scretary has authenticated me, authorization can proceed.
> Secretary gets your name and looks into timetable and finds required
> record (that's authorization is). Than she checks time and name are
> valid (it's authentication).
>
> Secretary: Oh, yes, Mr. Abell, you can come in.
>
> You can't authenticate user before you authorize him just because you
> don't know if information provided by user is valid or not.
I don't think someone should be authorized before the claimed identity
has been authenticated. Otherwise authorization might be given to
someone falsely claiming an identity.
Vic
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
