Saturday, August 25, 2007

Why use the term "principal" when "user" would do?

pencil icon, that"s clickable to start editing the post

Some terms I just accept straight off, some take time getting used to and then some just never seem to settle right. For me the term 'principal' has always be a strange term, and it doesn't connect to the part of my brain that carries the concept of a user. Often it helps if I get an understanding of why the term came to use, since the history often explains a logical or sensible reason for it's usage.

The term is also used in the description of Authentication in Wikipedia:

In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. The sender being authenticated, often referred to as the principal, may be a person using a computer, a computer itself or a computer program. A blind credential, in contrast, does not establish identity at all, but only a narrow right or status of the user or program.

This really doesn't explain it to me, so I'll continue my search.

The Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0 [PDF], defines Principal as A system entity whose identity can be authenticated. [X.811] and of interest later in this post Principal Identity as A representation of a principal’s identity, typically an identifier..

The Glossary references X.811 : Information technology - Open Systems Interconnection - Security frameworks for open systems: Authentication framework [PDF]. Here the term is defined in 3.15: principal: An entity whose identity can be authenticated.. Uhmm, a little more is added in section "5.1.1 Identification and authentication":

A principal is an entity whose identity can be authenticated. A principal has one or more distinguishing identifiers associated with it. Authentication services can be used by entities to verify purported identities of principals. A principal’s identity which has been so verified is called an authenticated identity.

Examples of principals that can be identified and hence authenticated are:

  • - human users;
  • - processes;
  • - real open systems;
  • - OSI layer entities; and
  • - enterprises.

Distinguishing identifiers are required to be unambiguous within a given security domain. Distinguishing identifiers distinguish a principal from others in the same domain, in one of two ways:

  • - at a coarse level of granularity, by virtue of membership in a group of entities considered equivalent for purposes of authentication (in this case the entire group is considered to be one principal and has one distinguishing identifier); or
  • - at the finest degree of granularity, identifying one and only one entity.

There's more in "5.6 Types of principal":

Principals can be categorized in various ways, such as:

  • a) those with passive characteristic(s), e.g. fingerprint, retinal characteristics;
  • b) those with information exchange and processing capability;
  • c) those with information storage capability; and
  • d) those with a unique fixed location.

Principals may fit more than one category [for example, human entities fit a), b) and c)].

So what does this come down to? Well, it looks like they've made quite an academic approach, and that probably why they chose the word principal. One point is that it's not simply a user - it can be a user, but just as well a group of users, a process or as it said an enterprise! So they could no use the term user since the concept is wider.

The article "What Is A Security Principal" on Pluralsight, has the same conclusion.

A security principal is an entity that can be positively identified and verified via a technique known as authentication (WhatIsAuthentication). Usually when people think of security principals, they think of users, but there's a bit more to it than that. I like to think of three different types of principals:

  • User principals
  • Machine principals
  • Service principals

Does this make it clearer to me? Not really - I gladly use the term "user" for a process, since I can abstract what I meant with a user. Maybe someday I'll get the insight when i stumble upon a case that can open it up to me. Any way, hopefully writing this post will help connect the right dots in my brain, so that I'll adopt the term 'principal'.