[R-ReAuth] Ability for server to signal that re-authenticaiton is
required where you'd normally expect an authorization decision.
I didn't phrase that too well, but I guess folks'll recognize the
Let me test your theory that folks will recognize the issue.
We discuss a requirement with our customers which may or may not be the
same as this.
We call it either "step-up authentication" or "authorization based on
strength of authentication".
The idea is that the authorization rules state that in order to be granted
access to a resource,
the requester must authenticate using a particular mechanism, which is
normally viewed as
"extra strong" or "strong enough for purposes of this specific access".
We also discuss another requirement which is at least related to this. I
don't think we have
a name for it, so I'll make one up: "verification of presence". This
requirement says that
in order to perform some action the requester must re-authenticate (perhaps
using the same
mechanism as initial authentication) in order to verify that he or she
hasn't walked away
and abandoned a session which has subsequently been "adopted" by somebody
People familiar with ATM machine security will recognize this one.
Is either of these what you mean? Are both?
Chief Scientist, Security
Tivoli Systems, Inc.