[Jsdsi-users] Re: Other features offered by JSDSI
Status: Pre-Alpha
Brought to you by:
sajma
Menu
▾
▴
[Jsdsi-users] Re: Other features offered by JSDSI
|
From: Sameer A. <aj...@gm...> - 2006-01-20 15:09:28
|
On 1/20/06, Somaya Aboulwafa <som...@ya...> wrote: > Hi, > > Now what I have understood is that, for one to > implement certificate based access control, assume the > following scenario: > > Alice offers a service X and it has an access control > rule stating what credentials are required for > accessing X. > Bob wants to access service X offered by Alice. > Bob then sends Alice his request with some > certificates he owns. > Alice then will : > 1- Build a certificates path for Bob's certificates > using jsdsi resulting in a final certificate (call it > Result_Certificate) > 2- Build a virtual certificate that's equivalent to > its access control rule (call it Temp_Certificate) > 3- Make a validation using jsdsi between the > (Result_Certificate) and the Temp_Certificate (which > is done internally by checking whether > Result_Certificate "implies" Temp_Certificate. > > Do I have any misunderstanding? That's about correct, though here's how I think of it: Bob requests to do action A on resource X: he presents an certificate path whose implied cert is an AuthCert: Bob's key can do A on X Or Alice could have an ACL for X that says "only members of group G may do action A on X". In this case, Bob must present a cert path that implies "Bob is a member of group G". > > What about certificates revocation and CRL and ACL and > all this stuff ? Much of this isn't yet implemented in JSDSI. The APIs are there, but not the implementation. Basically, a cert path is a sequence of self-authenticating certs: right now, a cert is authenticated simply by its signature. If the cert also says that it might appear on a CRL, then the person verifying the cert must also check the CRL. If you're interested in implementing this as an extension to JSDSI, let me know and I can add you as a developer. > > If Alice receive a certificate from bob, how could she > makes sure that this certificate is not revoked and > that it is currently valid? Is this the developer's > job as well? SPKI certs have several ways to specify their own validity. The simplest is the validity period (not-before and not-after) and the signature itself. In addition, a cert might require that the person verifying the cert check a CRL or CVL or one-time validation system. S > > Many Thanks > Somaya > > > --- Sameer Ajmani <aj...@gm...> wrote: > > > On 1/20/06, Somaya Aboulwafa > > <som...@ya...> wrote: > > > Hi Sameer, > > > > > > I understand now that with JSDSI I can do the > > > following: > > > 1. Creating and Signing Certificates > > > 2. Verifying Certificates signatures > > > 3. Building a certificates path from a group of > > > certificates > > > 4. certificates paths validation > > > > > > I'd like to know what other features that jsdsi > > > support. > > > > You have listed the main features, but in addition > > there's: > > - certificate and s-expression parsing and > > marshalling > > - an LDAP certificate storage system (I'm not > > familiar with this, though) > > and I'm sure there are others, but I'd have to go > > look at the APIs... > > > > > > > > Also I would be grateful if you give me an insight > > on > > > how (in theory) jsdsi makes certificate paths > > > validation? > > > > A certificate path is essentially a series of > > certificates that, when > > taken together, imply another certificate (either a > > name cert or > > authorization cert); this implied cert is included > > with the path to > > aid in validation. The basic operation of > > validation is certificate > > "composition" (the SPKI RFC describes the rules for > > composing certs). > > Validation works as follows: the certificates in the > > path are > > composed, one after the other, each time checking > > that the signatures > > are valid. If the final resulting cert "implies" > > (grants the same or > > stronger authorization than) the desired cert, then > > the path is valid. > > > > S > > > > > > > > Thanks you > > > Somaya > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > > http://mail.yahoo.com > > > > > > > > > -- > > Sameer > > http://ajmani.net > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- Sameer http://ajmani.net |
