Tu auténtica identidad

Un artículo de Stephen Downes, "Authentication and Identification", donde se hace una revisión de estos dos conceptos que más de una vez han llevado a la confusión a los DSIC más avezados, abrumados por el discurso comercial de los consultores de todo a cien que pululan en el entorno corporativo.

Even though the distinction is therefore somewhat ambiguous, it is nonethess possible to draw the distinction in a rough and ready fashion. A lot will ride on this distinction, so it is worth being as clear as possible at the outset.

• Identification is the act of claiming an identity, where an identity is a set of one or more signs signifying a distinct entity.

• Authentication is the act of verifying that identity, where a verification consists in establishing, to the satisfaction of the verifier, that the sign signifies the entity.

También aborda los problemas que se presentan en la Red, donde la identidad que se autentica es la de una máquina, en lugar de o, además de la de una persona:

Online, while me may not be able to identify the person using the computer, we can establish the identity of the computer (within certain bounds). Thus liberated, we now have a legion of authentication schemes. For example:

IP-based authentication - a computer is deemed authenticated if and only if it accesses the internet through a limited range of IP addresses. Since IP addresses are owned, and since it is difficult to spoof an IP address, a computer reporting to be connected through the appropriate IP address is deemed to be authenticated.

Processor-based authentication - a computer (or an ethernet card, using a MAC address) is deemed to be authenticated if and only if it provides an authorized hardware address to the authentication service.

Trusted computing - a computer is deemed to be authenticated if and only if it provides credentials obtained from a 'trusted' programming space within the computer, that is, a part of the computer's program that is inaccessible to the computer user.

The process of authentication, therefore, involves the establishment of a unique identity for the computer (or some essential part of the computer, such as its ethernet card), and the transmission of that identity to the authentication service, whether that authentication service is the original service provider or some trusted third party that will provide testimony to the service provider.

It ties access, in other words, to a specific device, rather than to a specific person.

Actualización: La segunda parte, "mIDm - Self-Identification the World Wide Web" ya está disponible. Se trata de una propuesta de single-sign-on en la Web, consistente en un procedimiento único de autenticación que se realizaría en tu propia página web:

"The proposal is dead simple:

You - a web user - create a website on which you create a program you can log in to (you don't have to do this yourself - you could use a program someone else created to do the same job - but the point is, you could do it yourself.

You then place the address of that program - its URL - into your browser.

Then, any time you go to a website, if that website wants to know who you are, it gets the URL from your browser and sends a request to the program. "Who is this?" the website will ask. "This is me!" the program will reply.

How does the website know that you've sent it to your program, and not someone else's? The same way Feedster or Technorati or Blogshares allows you to 'claim' a blog. It gives you a little bit of code which you then place into your program. Because you have to log into the program, only you could have placed the information there. So once the website gets the little bit of code back from the program, it is satisfied that you, indeed, are the person described by this program.

In a sense, it's no more and no less secure that having you type your personal information into a form. Sure, you could lie - but that's not the point here. The point is that this is a mechanism by which you, the web user, can make a declaration about who you are."

El funcionamiento del invento es más o menos así:

• A user declares the name of his or her private website - the location of an mIDm script on their own server (or a server provided by a host, such as an online community of their choosing)
• When the user attempts to access a remote website, the remote website redirects their browser to that mIDm server with an access key (sometimes called a 'handle', though I don't like that name).
• The mIDm server accepts and stores the key. The idea here is that only a person with access to the mIDm server can store that particular key.
• The mIDm server redirects the user back to the remote website.
• Upon the user's return, the remote website independently requests the key from the mIDm server.
• If the key is returned, then the server accepts that the mIDm address provided by the user is valid, and hence, may request additional information (such as, say, FOAF data) from the mIDm server.

Technorati tags: authentication identity article