[TUHS] YP / NIS / NIS+ / LDAP
Grant Taylor
gtaylor at tnetconsulting.net
Thu Nov 8 03:30:58 AEST 2018
On 11/07/2018 04:37 AM, Pete Turnbull wrote:
> Not really. You go past the bouncer as an immediate consequence of
> authorization.
I disagree.
To me these are two very distinct things.
I view authorization as a low pressure yes / no answer to should this
access be allowed or not.
The access control (bouncer) is the high pressure and high risk exposed
surface that people beat on to try to force their way in.
Much like how a low base current can control a high collector current on
a transistor.
> The third 'A' is normally accounting: the bouncer notes the time you
> entered in the visitors book or logbook, and sometimes also notes the
> time you leave. Just about every network access service does this, and
> "access control" is the whole AAA thing combined.
I'll agree that accounting, or logging, is desired. But many of the
bouncers that I've seen don't do any logging (accounting) at all. They
simply enforce the decisions of other people (entities).
s/bouncer/security guard/ and I'll agree that logging (accounting) is
typically done.
Does a turn stile do any logging? Or does it simply allow somebody
through if they provide the token?
> Have you ever seen a system that confirmed authentication and
> authorisation but then denied access (other than through a fault)?
My ignorance does not preclude such from existing.
Think about someone approaching a checkpoint:
1) They must authenticate themselves.
2) They must be authorized to pass.
3) The retractable tank traps (meant to be robust enough to stop a
speeding car) must be retracted.
#3 is the access control that is independent of #1 & #2 as well as takes
time to move.
I view the access control as the physical (or logical) barrier that
allows or prevents things based on input of others.
> Denying access would be by a (possibly temporary) denial of authorisation.
I disagree. You are still authorized. You are still permitted to do
$theThing.
Reusing the a tank trap comparison, does the drivers authentication or
authorization status change between the time the guard says "Okay" and
the time the driver leaves the check point? The access control takes
time to execute, namely the time it takes the guard to initiate
retracting the tank trap and the time it takes for the tank trap to
retract. This entire time the driver is still authenticated and still
authorized. But access is still being prevented.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20181107/2dee70e0/attachment.bin>
More information about the TUHS
mailing list