31 | | The arrow connecting an attribute to a principal indicates that the principal has the attribute. We point the arror toward the attribute, indicating that the principal is in the group. The presence of such an arror indicates that the principal controlling the attribute has issued a signed assertion that the other principal has the given attribute. In the example USC has issued an assertion that Ted is in USC.GENI. |
| 31 | The arrow connecting an attribute to a principal indicates that the principal has the attribute. We point the arror toward the attribute, indicating that the principal is in the group. The presence of such an arror indicates that the principal controlling the attribute has issued a signed assertion that the other principal has the given attribute. In the example ISI has issued an assertion that Ted is in ISI.GENI. |
| 32 | |
| 33 | [[Image(Simple.png)]] |
| 34 | |
| 35 | The image above shows a simple delegation. The GPO prinicpal has delegated the power to grant principals the GPO.demo attribute to USC by asserting that any USC.GENI principal also has the GPO.demo attribute. Ted has the GPO.demo attribute because he is a USC.GENI principal and all USC.GENI principals are GPO.demo prinicpals. The arrow between '''ISI.GENI''' and Ted is the familiar assertion by a principal assigning another principal the attribute; The arrow between '''GPO.demo''' and '''ISI.GENI''' represents a signed assertion about the two attributes. That attribute is signed by the GPO principal. |
| 36 | |
| 37 | [[Image(Creds.png)]] |
| 38 | |
| 39 | The image above points out that each arrow maps into an ABAC credential: an element that can be used in a proof. Because each of these is a signed assertion of a fact or delegation of authority, walking the arrows to an attribute corresponds to collecting those signed credentials, which establishes a trust relationship. ABAC credentials allow principals to negotiate directly about what they consider adequate proof. |