[tremon]

Even 30 years ago, the core argument would have been nonsensical.

1. They introduce their argument as if it is solely about shell access (the conclusion also only mentions "login access control"), but then the first example/statement they make is about non-shell access (Samba, IMAP, Apache).

2. The second argument conflates authentication and authorization, and concludes that to implement shell authorization properly, your only choice is to provide multiple authentication systems.

Zero effort is spent on explaining why existing/historic shell authorization systems (such as simple DAC groups or rbash) are inadequate, and it's not clear to me what threat model they are using to arrive at their conclusion.

edit: rethinking this, I think TFA is just lacking a clear problem statement. They seem to be talking specifically about non-shell services that (ab)use the user's shell field in /etc/passwd as authorization information, and then complaining that many services did not follow suit.

[hinkley]

Few contractions foment confusion as much as “auth”. Don’t do it.

[AceJohnny2]

authn vs authz: Authentication vs Authorization

authn/authentication: user proves who they are, with username/password or otherwise

authz/authorization: based on who the user is, system determines what they are allowed to do, via group membership or otherwise

[AndrewDavis]

authz may be confusing to non USA English speakers. I wouldn't make the connection without it spelled out to me. Unfortunately I don't have a better suggestion because auths as short for authorisation is probably worse.

[Affric]

If you work with computers (rather than using them) and don't default to USA English when discussing and using them you are likely in for a bad time.

[raxxorraxor]

I think it is less confusion than just calling it auth. I have read many articles about basic auth vs oauth. But the auth here isn't the same.

[hinkley]

You can't pronounce authn and authz very well, but to be perfectly honest I'm not sure if that falls under the 'pro' or 'con' column.

[fragmede]

I think it's a pro. in saying auth-enn and auth-zee (zed), it's clear which of the two you're talking about.

[dietr1ch]

To me they look like the kind of abbreviations I'd only do when writing. I just say authentication or authorisation when reading them (out loud or in my own mind)

[matttproud]

TBH, we'd be better if without any of the contracted forms.

[PH95VuimJjqBqy]

the only exception is if you mean both, but even that's confusing if the context isn't clear.

spell them out or use authn/authz.

[bigbuppo]

You're not thinking like a thought leader.