Let’s Not Forget Authorization

6:00 PM -- Mention AAA, and most people think of the folks who fix flat tires and jump dead batteries. Those in the defense world might think of Automatic Anti-Aircraft guns. But for us geeks, AAA is Authentication, Authorization, and Accounting, three key elements in network operations and frequently packaged together in unified solutions.

Authentication is one end of the connection proving its identity to the other. There are lots of mechanisms for this, like digital certificates and, my personal favorite, two-factor authentication, which involves something you have (like a hardware token) plus something your know (a password). Mutual authentication is particularly important in wireless applications, where the other end of the connection is often invisible, to avoid such problems as the evil twin situation. Accounting is just that -- logs, bills, and such.

In the middle, though, is the most important element of all. While authentication is all about who you are, authorization is all about what you’re allowed to do. One of the arguments against open access, on which the FCC recently decided to move forward on a somewhat limited basis, is that, well, just anyone might be allowed on the open-access service. This could (but not necessarily) be true with respect to devices, but it says nothing about specific users of those devices. Keep in mind that, just because one might have a device that’s interoperable with a given network, this doesn’t mean that anyone can do anything in particular on that network. That’s what authorization is all about, and why open access isn’t unless it considers both technology and permission.

— Craig Mathias is Principal Analyst at the Farpoint Group , an advisory firm specializing in wireless communications and mobile computing. Special to Unstrung

COMMENTS Add Comment
AllKindsOfThings 12/5/2012 | 3:01:18 PM
re: Let’s Not Forget Authorization You are pointing to a very interesting topic.

While the traditional Telco industry believes they will remain happy with serving the well known, contract bound, billing relationship owner as a customer, the advertising financed internet parties consider "the unique user" as sufficient as their currency.

The fact that the entry level of a commercial relationship does not need any knowledge of the parties of each other to make commercial sense has basically made it into the Telco Industry.

In a similar way I can buy things in a supermarket for anonymous money flow, I have now many ways of anonymous access to the internet - offering many new parties to use it that were proviously not able to access it.

Having such a very lightweight relationship, where service use can occur for the mere acceptance of a cookie and some advertising contact is however coming at a (at this time unexplored socio-economic) overall cost of giving up several things we have actually gotten quite fond of: The knowledge that the number displayed in your phone is indeed coming from the friend and is not faked, the fact that the service you connect to is indeed the service you pay for and not a look-alike.

We will see all levels of communication partner relationships next to each other, with three main ways for parties to represent themselves to each other:
1. Per your real Name, with an attached level of trust and credibility
2. By synonym, with a commercial liability and credibility attached but decoupled from visibility for third parties
3. In anonymity. The latter will also be split into managed anonymity (anonymous users that have some party still vouch for their credibility) and privacy protected anonymity (where people might use some anonymous methods of payment for being totally untraceable including for state authorities)

This added option space is of course somewhat a challenge to traditional players - including governments, state authorities and regulators - and not fully explored yet.

Many security features that were invented to protect a considered valuable service from unpaid usage have the side effect of also assuring that a consumer can rely on the service provider, trust that they are served to a minimum set of standards, and that their communication partners belong to the same pre-conditions of service access.

When most value chain partners that feed of service value are actually not the least interested in creating any added level of security, there is a price to pay for it as some other place, and that place is trust.

It's rather clear that the real economic interest of many parties in security is close to zero, because that would counteracts the effect of the dramatically lowered barriers for making offers to users free of direct cost.

The assumption that we can buy security by financing people whose business is advertising is somewhat absurd: When the owner of the budget is an advertising driven business, they need to finance security AND advertising, so security is of somwhat less of their focus than of someone whose money flow comes from providing secure and trustworthy service. Conclusively the advertising industry will seek to assure we feed them by paying for as much advertising overhead cost in as many products as possible - and they will throw in just as much security as is absolutely needed (respectively only under pressure when major hickups prove how little they care).

P.S. It might actually be an interesting study how the split of costs and investments really change (from an ecosystem, consumer and state governance perspective) in an Găúadvertising financed service economyGăą vs. Găúpaying service providers directlyGăą, specifically how effective this is in terms of cost AND security for the service on the user end and for the sustainability of service delivery by service providers. Is there a limit on how many levels of value adding intermediaries (in form of the advertising food chain) you could add on top of an actual product before the whole value system collapses G㢠any hint to a study where Harvard, Sloan, Wharton etc. may have dissected if this actually may just LOOK like cheap access for everyone, while the advertising industry might in fact have G㢠without really getting noted - created a Găútax-like fee without any value addGăą that is factored into absolutely any product we buy and by this may have in fact increased the cost for us to receive the same service or product G㢠only indirectly and we cannot directly see the connection?

Sign In