Changes between Version 3 and Version 4 of TIEDABACModel


Ignore:
Timestamp:
07/28/09 14:07:08 (15 years ago)
Author:
mikeryan@isi.edu
Comment:

remove extra word

Legend:

Unmodified
Added
Removed
Modified

  • TIEDABACModel

    v3 v4  
    2323In this case, the delegated attribute (GPO GENI user) is delegated to principals who possess a one (or more) of a set of attributes (''P'' GENI user for many ''P'').  That set is defined in terms of an authorizer attribute (NSF PI).  Any principal with the authorizer attribute can assign the delegated attribute by assigning their local version of the delegating attribute (''P'' GENI user where ''P'' has the NSF PI attribute).  This links the authorizer attribute to the delegating attributes, and is often called a linked attribute.
    2424
    25 Each of these delegations is expressed as an ABAC credential: an a signed assertion that can be used in a proof.  Because each of these is a signed assertion of a fact or delegation of authority, connecting them in following the rules above corresponds to collecting those signed credentials, which establishes a trust relationship.  ABAC credentials allow principals to negotiate directly about what they consider adequate proof.  Below we show a simple visualization that represents constructing that proof as finding a path between two nodes in a graph; the actual negotiation protocol can be similarly simple.
     25Each of these delegations is expressed as an ABAC credential: a signed assertion that can be used in a proof.  Because each of these is a signed assertion of a fact or delegation of authority, connecting them in following the rules above corresponds to collecting those signed credentials, which establishes a trust relationship.  ABAC credentials allow principals to negotiate directly about what they consider adequate proof.  Below we show a simple visualization that represents constructing that proof as finding a path between two nodes in a graph; the actual negotiation protocol can be similarly simple.
    2626
    2727Until an authorization decision needs to be made, all of these credentials can be kept locally and brought together to make the decision.  Principals can also pass them around so they are available when needed.  For example, when the NSF designates a PI, it may send that PI the signed attribute so that the PI can use it in authorization requests.