source: doc/design @ abd7c25

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml
Last change on this file since abd7c25 was 4918535, checked in by Mike Ryan <mikeryan@…>, 14 years ago

top-level build

  • Property mode set to 100644
File size: 1.8 KB
Line 
1OVERVIEW
2
3libabac is comprised of three main types of objects: credentials, roles,
4and contexts.
5
6CREDENTIAL
7
8An ABAC credential is the most basic unit of an ABAC proof. It is a
9signed assertion by a principal A that some other entity has a role r1.
10Abstractly, it is one of the following (A and B principls, r1, r2, r3
11roles):
12
13    A.r1 <- B
14    A.r1 <- B.r2
15    A.r1 <- B.r2.r3
16
17When interacting with libabac, a credential is represented by an X509
18attribute certificates and the associated issuer X509 identity
19certificate.
20
21ROLE
22
23ABAC roles are the atomic units that form the head and tail of a
24credential. The head will always be a proper role, which is to say it
25takes form:
26
27    A.r1
28
29As seen in the CREDENTIAL section, the tail of a role can take one of
30three forms:
31
32    principal:      B
33    role:           B.r2
34    linking role:   B.r2.r3
35
36For more information about the different types of roles, refer to
37[Li03rt].
38
39A principal in libabac is represented by the SHA1 hash of the public key
40of its identity certificate. Therefore the credentials encoded in
41attribute certificates look like this:
42
43    e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <-
44        e93547826455a80d9488825a1d083ef6ef264107
45
46CONTEXT
47
48An ABAC context object encapsulates a set of ABAC credentials and its
49associated proof graph. The context supports the following operations:
50
51    - load X509 identity certificate
52    - load X509 attribute certificate
53    - list all the credentials (attribute identity certificate pairs)
54    - query whether a principal has a given role
55    - duplicate context
56
57REFERENCES
58
59[Li03rt]
60    Li, N. and Mitchell, J. C. RT: A role-based trust-management
61    framework. In Proceedings of the Third DARPA Information
62    Survivability Conference and Exposition. IEEE Computer Society
63    Press, 201­212.
Note: See TracBrowser for help on using the repository browser.