Changes between Version 8 and Version 9 of TIEDCredentials

Timestamp:

04/19/13 19:12:41 (11 years ago)

Author:

faber@isi.edu

Comment:

--

TIEDCredentials

@@ -5 +5 @@
 GENI is currently working toward making [wiki:TIEDABACModel ABAC] the primary authorization system for the [wiki:GAPI_AM_API GENI AM API]. A first step in that direction is to use the ABAC prover library, [http://abac.deterlab.net libabac], to make authorization decisions based on the current GENI policy.  A first step in this direction is to implement current GENI policy - including a new "speaks-for" feature - using ABAC without changing the existing AM API calls or credential formats.  This document describes our approach to do so.  While there are other issues to consider, for example improving libabac portability, this document does not address them.
 
-For most elemets in the system, the workflow is unchanged.  They generate the same credentials they would otherwise.  The workflow change for any element that makes an access check based on GENI privilege credentials, for example an aggregate manager, is that when it receives a request through the [wiki:GAPI_AM_API GENI AM API] it will 
+Current GENI credentials allow one principal to grant privileges to other principals.  If the original granting principal allows it, privileges can be further delegated.
+
+The "speaks-for" privilege is a new privilege intended to be used as follows. A user wishes to use a tool to access aggregate managers but does not want to give its identity certificate and private key to that tool, which may be a web service.  The user can issue a GENI credential granting a "speaks-for" right to the tool (a principal).  The tool includes that credential in its requests and the aggregate manager (and other parties making authorization decisions) will treat these requests as though they came from the user.
+
+This differs from delegation in two ways:
+
+ * Credential issuers need not issue delegatable privileges
+ * A tool need not receive and manipulate all the delegated credentials
+
+"Speaks-for" makes all existing GENI credentials delegatable by "speaks-for".  To make future credentials immune to this delegation will require a format change to the GENI credentials.  It is unclear to me if "speaks-for" permits delegation as well, but the rest of this document assumes that it does.
+
+When using the ABAC access code, for most elemets in the system, the workflow is unchanged.  They generate the same credentials they would otherwise.  The workflow change for any element that makes an access check based on GENI privilege credentials, for example an aggregate manager, is that when it receives a request through the [wiki:GAPI_AM_API GENI AM API] it will 
 
  * Initialize an ABAC prover with its current policy (the prover is initialized for each request to allow dynamic policy changes),
@@ -38 +49 @@
 = GENI Privilege Credentials and "Speaks-for" =
 
-The "speaks-for" privilege is intended to be used as follows. A user wishes to use a hosted tool to access aggregate managers but does not want to give its identity certificate and private key to that tool, which may be a web service.  The user can issue a GENI credential granting a "speaks-for" right to the tool (a principal).  The tool includes that credential in its requests and the aggregate manager (and other parties making authorization decisions) will treat these requests as though they came from the user.
 
-This differs from delegation in two ways:
-
- * Credential issuers need not issue delegatable privileges
- * A tool need not receive and manipulate all the delegated credentials
-
-"Speaks-for" makes all existing GENI credentials delegatable by "speaks-for".  To make future credentials immune to this delegation will require a format change to the privilege credentials.
 
 = GENI Policy in ABAC =