Changes between Version 1 and Version 2 of TIEDCredentials


Ignore:
Timestamp:
04/18/13 20:42:20 (6 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDCredentials

    v1 v2  
    1818== GENI "privilege" credentials ==
    1919
    20 The only type of GENI credential currently in use is the "privilege" credential.  This credential assigns a principal (called the owner) one or more privileges with respect to another principal (called the target).  The privileges are strings meaningful to the implementation.  There is also a bit that allows delegation of the privilege.
     20The only type of GENI credential currently in use is the "privilege" credential.  This credential assigns a principal (called the owner) one or more privileges with respect to another principal (called the target).  The credential has an implicit issuer, the signer of the credential.  The privileges are strings meaningful to the implementation.  There is also a bit that allows delegation of the privilege.  This section describes how to represent the semantics of the GENI credentials in ABAC statements.  Libabac will import a GENI credential into ABAC statements internally and use those statements to make authorization decisions; the AM (relying party) will import the credentials and policy into libabac and ask libabac for the authorization decision.
    2121
    22 This directly translates into one or more ABAC statements that include the owner in the target's privilege set.  Said another way, the target gives owner the privilege attribute defined by the string.  In ABAC RT0 notation: {{{Target.privilege <- Owner}}} for each privilege in the credential.
     22The AM is trying to prove that the Owner who is asking to exercise a privilege on Target is authorized with respect to the AM.
     23
     24Each GENI credential directly translates into one or more ABAC statements. In the simplest case, each of these statements assigns the owner a privilege with respect to the Target according to the issuer. In ABAC RT1 notation this is
     25
     26{{{
     27Issuer.privilege(Target) <- Owner
     28}}}
     29
     30for each privilege in the credential.  This can be expressed in [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT0 lite"] as:
     31
     32{{{
     33Issuer.privilege_Target <- Owner
     34}}}
    2335
    2436
     37Each privilege has a flag indicating whether the owner can further delegate the privilege to others by creating a similar credential and signing it.  The new credential includes the credential that is the basis for delegation in the new credential's parent element.  This recurses. 
    2538
     39Encoding these in ABAC is accomplished in two ways:
     40 * the right to delegate is encoded in an ABAC credential
     41 * the rules for valid delagation (that the delegator must have the privilege and the right to delegate) is expressed in the AM policies.
     42
     43An undelegated credential that can be delegated expands into ABAC statements of the form:
     44
     45{{{
     46Issuer.privilege_Target <- Owner
     47Issuer.can_delegete_privilege_Target <- Owner
     48}}}
     49
     50An
     51
     52{{{
     53Issuer.privilege_Target <- Issuer.can_delegate
     54
     55