Changes between Version 28 and Version 29 of TIEDABACDemo
- Timestamp:
- 07/13/09 18:24:20 (15 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TIEDABACDemo
v28 v29 141 141 === Negotiating Access === 142 142 143 While the global graph is somewhat daunting in its complexity, it is important to realize that any single access decision requires the construction of only one path from principal to attribute. The two endpoints construct a graph together from their credentials, each of which represents an edge in the visualization above. For example, the case where faber is authenticating to the slice requires proving that faber has the GENI.CTFadmin credential. The slice has the following relevant credential:143 While the global graph is somewhat daunting in its complexity, it is important to realize that any single access decision requires the construction of only one path from principal to attribute. The two endpoints construct a graph together from their credentials, each of which represents an edge in the visualization above. For example, the case where faber is seeking authorization to access the slice requires proving that faber has the '''GENI.CTFaccess''' credential. The slice has the following relevant credentials: 144 144 145 145 [[Image(example1.png)]] 146 147 and 148 149 [[Image(example4.png)]] 150 151 and 152 153 [[Image(example13.png)]] 146 154 147 155 And faber holds: … … 149 157 [[Image(example11.png)]] 150 158 151 The simplest exchange is that faber requests access, the slice sends its relevant credential as a starting graph and faber responds with the completedgraph:159 The simplest exchange is that faber requests access, the slice builds a graph of all the credentials that might be part of a path from principal to credential, and sends them to faber. That message contains credentials that represent this graph: 152 160 153 [[Image(example1 2.png)]]161 [[Image(example15.png)]] 154 162 155 163 Each side can check all the credentials to make sure the reasoning is sound. The credentials only fit together one way so they agree on the proof. At that point the authorization is complete.