1 / 3

Utilizing GSI for Client Authorization through Agreement Management

This document outlines a framework for client agreement management using GSI (Global Security Infrastructure). It details the process of creating and storing agreements that encapsulate the client's Distinguished Name (DN). The agreements function as a means of authorization, determining access permissions to services based on the DN. Additionally, the document discusses the delegation mechanisms involved in sharing agreements between entities and policies governing the addition of DN entries to agreements. This approach ensures secure service interactions while maintaining integrity in client authorization.

zoltan
Télécharger la présentation

Utilizing GSI for Client Authorization through Agreement Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Basic structure Policy Client: DN=Takuya createService(term) Agreement Factory • Utilize GSI • If negotiation succeeds and agreement is created, the agreement stores the information of “DN” of the client • This information can be stored in the agreementInitiator of gsa:ContextType, though it is URI string in the current spec. • When making agreement, the DN and the policy might be used to decide if it is allowed to make agreement or not. • When the client accesses to a service, the service looks up the DN information and decides if the access to the service is allowed or not • In a sense, agreement acts as a way of “authorization” (authentication is done using GSI) Stores DN information Agreement DN=Takuya call service: (DN = Takuya) Give the information of DN to the service Service

  2. Dependent Agreement Client: DN=Takuya Agreement Factory-B createService(term) Agreement Factory-A • Utilize the delegation mechanism of GSI • Agreement-A and Service-A acts as the client (DN=Takuya) • The other process is the same as the previous example. createService(term) (DN=Takuya) Agreement-B Agreement-A DN=Takuya DN=Takuya call service: (DN = Takuya) Service-B Service-A call service: (DN = Takuya)

  3. Give agreement to other entities Client: DN=Takuya Policy createService(term) Agreement Factory • Giving agreement to another entity can be implemented by setting the DN of the entity to the agreement. • If it is allowed to add the DN to the list might be decided by the policy. Add Kate to the DN list Agreement Tell GSH of Agreement (and service) DN=Takuya DN=Kate Client: DN=Kate Service call service: (DN = Kate)

More Related