ykarandikar
commented
1 year ago This definition appears incorrect under the common understanding of what a credential is.
A credential (password, FIDO credential, etc.) is used to authenticate something (e.g. a user) by proving possession of the credential. Once authenticated, the permissions granted to that user or device are used to authorize the actions that may be taken. While a user can be authorized without being authenticated (e.g. an anonymous, unauthenticated user of a web site may be authorized to view the publicly available content), that does not reflect the intent of the use case.
Additionally, there is a misspelling of the work "cryptographic" in the PR.
As DKG had pointed out in an earlier email thread on IETF mailing list, for some credentials there may not be any authentication at the access point.
So this definition tries to take that into account and cover all possible cases.
All credentials are used for authorization with the access point. Some are also used for mutual authentication.
If the language needs to be re-worded, we can certainly look into suggestion. But in terms of content, this definition is definitely accurate.
I'll fix the typo. Thanks!
dimmyvi
This definition appears incorrect under the common understanding of what a credential is.
A credential (password, FIDO credential, etc.) is used to authenticate something (e.g. a user) by proving possession of the credential. Once authenticated, the permissions granted to that user or device are used to authorize the actions that may be taken. While a user can be authorized without being authenticated (e.g. an anonymous, unauthenticated user of a web site may be authorized to view the publicly available content), that does not reflect the intent of the use case.
Additionally, there is a misspelling of the work "cryptographic" in the PR.