Changes between Version 2 and Version 3 of TIEDABACDemo


Ignore:
Timestamp:
07/10/09 12:07:42 (15 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v2 v3  
    2727Principals are represented as circles.  Our principals are labeled with simple, human-readable names, but in reality the assertions being made are being made about their globally unique identifiers.  Those IDs are essentially a public key that identifies the principal (though some systems like Kerberos may have a more intricate implementation).  Tools, including ours, represent principals using a readable name, but that's to help users of those tools.
    2828
    29 Attributes are a rectangle containing the principal that asserts the attribute and the attribute name in dotted notation.  The '''USC.staff''' attribute means that the USC principal is asserting a GENI attribute.  Again, USC is shorthand for that principal's unique identifier, but the attribute names are simple strings.
     29Attributes are a rectangle containing the principal that asserts the attribute and the attribute name in dotted notation.  The '''ISI.GENI''' attribute means that the ISI principal is asserting a GENI attribute.  Again, ISI is shorthand for that principal's unique identifier, but the attribute names are simple strings.
    3030
    31 The arrow connecting an attribute to a principal indicates that the principal has the attribute.  We point the arror toward the attribute, indicating that the principal is in the group.  The presence of such an arror indicates that the principal controlling the attribute has issued a signed assertion that the other principal has the given attribute.  In the example USC has issued an assertion that Ted is in USC.GENI.
     31The arrow connecting an attribute to a principal indicates that the principal has the attribute.  We point the arror toward the attribute, indicating that the principal is in the group.  The presence of such an arror indicates that the principal controlling the attribute has issued a signed assertion that the other principal has the given attribute.  In the example ISI has issued an assertion that Ted is in ISI.GENI.
     32
     33[[Image(Simple.png)]]
     34
     35The image above shows a simple delegation.  The GPO prinicpal has delegated the power to grant principals the GPO.demo attribute to USC by asserting that any USC.GENI principal also has the GPO.demo attribute.  Ted has the GPO.demo attribute because he is a USC.GENI principal and all USC.GENI principals are GPO.demo prinicpals.  The arrow between '''ISI.GENI''' and Ted is the familiar assertion by a principal assigning another principal the attribute;  The arrow between '''GPO.demo''' and '''ISI.GENI''' represents a signed assertion about the two attributes.  That attribute is signed by the GPO principal.
     36
     37[[Image(Creds.png)]]
     38
     39The image above points out that each arrow maps into an ABAC credential: an element that can be used in a proof.  Because each of these is a signed assertion of a fact or delegation of authority, walking the arrows to an attribute corresponds to collecting those signed credentials, which establishes a trust relationship.  ABAC credentials allow principals to negotiate directly about what they consider adequate proof.