[fe5682f] | 1 | You (Acme, Inc.) are running a service and you would like to use ABAC to |
---|
| 2 | authenticate users before they can buy rockets from you. Abstractly, |
---|
| 3 | your local set of credentials (as encoded by X509 attribute |
---|
| 4 | certificates) looks like this: |
---|
| 5 | |
---|
| 6 | Acme.buy_rockets <- Acme.preferred_customer |
---|
| 7 | |
---|
| 8 | When you launch your service, you will create an ABAC context and load |
---|
| 9 | your identity certificate and the attribute certificate that encodes the |
---|
| 10 | above credential. |
---|
| 11 | |
---|
| 12 | You have issued the following attribute (encoded in an X509 attribute |
---|
| 13 | cert), which is held by a user of your service: |
---|
| 14 | |
---|
| 15 | Acme.preferred_customer <- Coyote |
---|
| 16 | |
---|
| 17 | The Coyote will begin an SSL session to your service using his |
---|
| 18 | self-signed X509 identity certificate and will present this X509 |
---|
[9806e76] | 19 | attribute certificate in the body of his message. You will create the |
---|
[fe5682f] | 20 | ABAC context and add the Coyote's identity certificate and the attribute |
---|
| 21 | certificate asserting that he is a preferred customer. |
---|
| 22 | |
---|
| 23 | You then issue a query asking: |
---|
| 24 | |
---|
| 25 | Acme.buy_rockets <-?- Coyote |
---|
| 26 | |
---|
| 27 | The prover will return that this is in fact true and will return the set |
---|
| 28 | of credentials that proves this, namely: |
---|
| 29 | |
---|
| 30 | Acme.buy_rockets <- Acme.preferred_customer |
---|
| 31 | Acme.preferred_customer <- Coyote |
---|
| 32 | |
---|
| 33 | NOTES |
---|
| 34 | |
---|
| 35 | The credentials above are abstract representations. In actual |
---|
| 36 | credentials, 'Acme' and 'Coyote' would be represented by the SHA1 of |
---|
| 37 | their public keys. |
---|
| 38 | |
---|
| 39 | Given the above scenario, you can feel secure in selling rockets to the |
---|
| 40 | Coyote because he has established an SSL session using his certificate, |
---|
| 41 | indicating that he holds its private key. |
---|