uhyo_ I feel that both “authorizing the right to authorize” and just authorizing in the first place can be unified under “delegation of authority”. I still don’t understand (?) the essential meaning of splitting it into two different terms without doing so.
uhyo_ I wrote “people who are familiar with the related fields are rather unaware of the strict distinction” with the imagination that the distinction between “certification/authorization” is used only because it has such a convenient definition, and that people who are familiar with the related fields are thinking with a more essential understanding. I wrote “those who are familiar with the related areas are not so conscious of the strict distinction”, but it seems that this is not so (?).
keno_ss Isn’t that like saying that dogs and cats are mammals? We make a distinction in OAuth and so on because it is useful to think of them separately.
uhyo_ What can I say, I understand that it is useful from an implementation standpoint, but I don’t understand why the distinction is appreciated as if it were the essence of security. If I were to use an animal analogy, it would be like separating “black cats” and “cats” and being told, “This is biology!” (?).
keno_ss I’m not convinced by the claim that I’m a close concept to begin with, but to what specific case are you referring? I’m thinking, for example, of GitHub login (authentication) and repository visibility (authorization).
uhyo_ I’m thinking that “logging in to GitHub” is a kind of authorization, considering that it is a way to obtain “the right to be transferred the privileges that a particular user has”. I think that “login to GitHub” is a kind of authorization. The way to verify whether a right is granted is very different between “authentication” and “authorization”, but I think that is not the essence of the issue.
This page is auto-translated from /nishio/認証/認可 using DeepL. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. I’m very happy to spread my thought to non-Japanese readers.