Re: [Jsdsi-users] ACL and AuthCert
Status: Pre-Alpha
Brought to you by:
sajma
Menu
▾
▴
Re: [Jsdsi-users] ACL and AuthCert
|
From: Dav C. <dav...@gm...> - 2004-08-26 17:29:12
|
On Thu, 26 Aug 2004 12:52:05 -0400, Sameer Ajmani <aj...@gm...> wrote: > Alice can then grant access to her family using an AuthCert. Alice is > the issuer of this cert, and the subject is a name "Family" (the cert > has probably no propagate bit). Presumably, Alice has also issued > NameCerts that define which principals belong to the group named > "Family". (all these AuthCerts and NameCerts are in your CertStore) Do you mean Alice created a NameCert tying Bobby's pubkey to the name Family and then sent it to me and I add it to my CertStore? I have to maintain copies of the name certificates for everyone else's local name space? > When Bobby (Alice's brother) attempts to access the webcam, the access > controller (a process) attempts to prove an AuthCert that starts from > the principals in the Acl entries and ends with Bobby. Here's a > simple hack to make this work: Who creates that AuthCert, Bobby? Or do I have to maintain a comprehensive set of all possible authorizations for my resources? I had been thinking that I only had to maintain my local namespace certificates and the AclEntries for my local resources. I had thought that it would work something like this: - Bobby would create a request with his signature and send it to me. - I would look to see if I had a specific AclEntry for Bobby. - Not finding one, I would contact Alice's process (since some principal in her namespace does have an AclEntry) and see if she can map Bobby to Family using her local NameCerts and AuthCerts. - She would respond with something that signs Bobby's request verifying that he belongs to her Family - My process would now have a valid chain that links Bobby to the AclEntry for the resource and grants access. I'm off track there aren't I? -- Dav Coleman http://AkuAku.org/ |
