Which of the following is least likely to be used to implement authentication? (Wentz QOTD)
A. Public key infrastructure
B. 802.1X
C. XACML
D. HTTP Basic Authentication

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. XACML.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

XACML is primarily used for authorization instead of authentication. PKI can be implemented to support mutual authentication. 802.1X, aka EAP over LAN, is a standard for network access control based on EAP. HTTP Basic Authentication is an authentication scheme in plain text; however, it can be protected by TLS/SSL.

XACML stands for “eXtensible Access Control Markup Language”. The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.

As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between access control implementations by multiple vendors. XACML is primarily an attribute-based access control system (ABAC), also known as a policy-based access control (PBAC) system, where attributes (bits of data) associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.

The XACML model supports and encourages the separation of enforcement (PEP) from decision making (PDP) from management / definition (PAP) of the authorization. When access decisions are hard-coded within applications (or based on local machine userids and access control lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes and it is hard to achieve visibility or audits of the authorization in place. When the client is decoupled from the access decision, authorization policies can be updated on the fly and affect all clients immediately.

Source: Wikipedia

Reference

---

以下哪項最不可能用於實現身份驗證？ (Wentz QOTD)
A. 公鑰基礎設施
B. 802.1X
C. XACML
D. HTTP 基本認證