Changes between Version 15 and Version 16 of TIEDABACDemo


Ignore:
Timestamp:
07/10/09 19:58:37 (10 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v15 v16  
    157157
    158158[[Image(example10.png)]]
     159
     160=== Negotiating Access ===
     161
     162While the global graph is somewhat daunting in its complexity, it is important to realize that any single access decision requires the construction of only one path from principal to attribute.  The two endpoints construct a graph together from their credentials, each of which represents an edge in the visualization above.  For example, the case where faber is authenticating to the slice requires proving that faber has the GENI.CTFadmin credential.  The slice has the following relevant credential:
     163
     164[[Image(example1.png)]]
     165
     166And faber holds:
     167
     168[[Image(example11.png)]]
     169
     170The simplest exchange is that faber requests access, the slice sends its relevant credential as a starting graph and faber responds with the completed graph:
     171
     172[[Image(example12.png)]]
     173
     174Each side can check all the credentials to make sure the reasoning is sound.  The credentials only fit together one way so they agree on the proof.  At that point the authorization is complete.
     175
     176If the environment is open, the GENI principal can simply publish the relevant credential for CTF slice admin (and general) access.  Because each requester now knows the beginning of the graph, they are likely to be able to include the whole proof in their first request, removing a round trip time.