source: doc/usage_scenario @ 7764378

abac0-leak
Last change on this file since 7764378 was 461541a, checked in by Mei <mei@…>, 12 years ago

1) updated original rt0 to remove libstrongswan dependency

a) identity credential being made/accessed with openssl api calls

(X509/EVP_PKEY pem)

b) attribute credential being made/access via xmlsec1 (custom XML

structure)

2) refactored libcreddy into libabac and now one ABAC namespace for

libabac

3) added attribute_rule suboption to creddy's attribute as another way

to insert access rule

4) added some regression tests into example directory
5) updated some docs.

  • Property mode set to 100644
File size: 1.5 KB
RevLine 
[fe5682f]1You (Acme, Inc.) are running a service and you would like to use ABAC to
2authenticate users before they can buy rockets from you. Abstractly,
[461541a]3your local set of credentials (as encoded by XML attribute
[fe5682f]4certificates) looks like this:
5
6    Acme.buy_rockets <- Acme.preferred_customer
7
8When you launch your service, you will create an ABAC context and load
9your identity certificate and the attribute certificate that encodes the
10above credential.
11
[461541a]12You have issued the following attribute (encoded in an XML attribute
[fe5682f]13cert), which is held by a user of your service:
14
15    Acme.preferred_customer <- Coyote
16
17The Coyote will begin an SSL session to your service using his
[461541a]18self-signed X509 identity certificate and will present this XML
[fe5682f]19attribute certificate in the body of his message. You will clone the
20ABAC context and add the Coyote's identity certificate and the attribute
21certificate asserting that he is a preferred customer.
22
23You then issue a query asking:
24
25    Acme.buy_rockets <-?- Coyote
26
27The prover will return that this is in fact true and will return the set
28of credentials that proves this, namely:
29
30    Acme.buy_rockets <- Acme.preferred_customer
31    Acme.preferred_customer <- Coyote
32
33NOTES
34
35The credentials above are abstract representations. In actual
36credentials, 'Acme' and 'Coyote' would be represented by the SHA1 of
37their public keys.
38
39Given the above scenario, you can feel secure in selling rockets to the
40Coyote because he has established an SSL session using his certificate,
41indicating that he holds its private key.
Note: See TracBrowser for help on using the repository browser.