📄 rfc2704.txt
字号:
substituted with the _MIN_TRUST value.
The licensees expression (as defined in Section 4.6.4) is evaluated
as follows:
Blaze, et al. Informational [Page 23]
RFC 2704 The KeyNote Trust-Management System September 1999
* A "(...)" expression has the value of the enclosed subexpression.
* A "&&" expression has the lower-order (minimum) of its two
subexpression values.
* A "||" expression has the higher-order (maximum) of its two
subexpression values.
* A "<K>-of(<List>)" expression has the K-th highest order
compliance value listed in <list>. Values that appear multiple
times are counted with multiplicity. For example, if K = 3 and
the orders of the listed compliance values are (0, 1, 2, 2, 3),
the value of the expression is the compliance value of order 2.
For example, consider the following Licensees field:
Licensees: ("alice" && "bob") || "eve"
If the Principal Compliance Value is "yes" for principal "alice",
"no" for principal "bob", and "no" for principal "eve", and "yes" is
higher order than "no" in the query's Compliance Value Set, then the
resulting Licensee Compliance Value is "no".
Observe that if there are exactly two possible compliance values
(e.g., "false" and "true"), the rules of Licensee Compliance Value
resolution reduce exactly to standard Boolean logic.
5.4 Assertion Management
Assertions may be either signed or unsigned. Only signed assertions
should be used as credentials or transmitted or stored on untrusted
media. Unsigned assertions should be used only to specify policy and
for assertions whose integrity has already been verified as
conforming to local policy by some mechanism external to the KeyNote
system itself (e.g., X.509 certificates converted to KeyNote
assertions by a trusted conversion program).
Implementations that permit signed credentials to be verified by the
KeyNote compliance checker generally provide two `channels' through
which applications can make assertions available. Unsigned,
locally-trusted assertions are provided over a `trusted' interface,
while signed credentials are provided over an `untrusted' interface.
The KeyNote compliance checker verifies correct signatures for all
assertions submitted over the untrusted interface. The integrity of
KeyNote evaluation requires that only assertions trusted as
reflecting local policy are submitted to KeyNote via the trusted
interface.
Blaze, et al. Informational [Page 24]
RFC 2704 The KeyNote Trust-Management System September 1999
Note that applications that use KeyNote exclusively as a local policy
specification mechanism need use only trusted assertions. Other
applications might need only a small number of infrequently changed
trusted assertions to `bootstrap' a policy whose details are
specified in signed credentials issued by others and submitted over
the untrusted interface.
5.5 Implementation Issues
Informally, the semantics of KeyNote evaluation can be thought of as
involving the construction a directed graph of KeyNote assertions
rooted at a POLICY assertion that connects with at least one of the
principals that requested the action.
Delegation of some authorization from principal <A> to a set of
principals <B> is expressed as an assertion with principal <A> given
in the Authorizer field, principal set <B> given in the Licensees
field, and the authorization to be delegated encoded in the
Conditions field. How the expression digraph is constructed is
implementation-dependent and implementations may use different
algorithms for optimizing the graph's construction. Some
implementations might use a `bottom up' traversal starting at the
principals that requested the action, others might follow a `top
down' approach starting at the POLICY assertions, and still others
might employ other heuristics entirely.
Implementations are encouraged to employ mechanisms for recording
exceptions (such as division by zero or syntax error), and reporting
them to the invoking application if requested. Such mechanisms are
outside the scope of this document.
6. Examples
In this section, we give examples of KeyNote assertions that might be
used in hypothetical applications. These examples are intended
primarily to illustrate features of KeyNote assertion syntax and
semantics, and do not necessarily represent the best way to integrate
KeyNote into applications.
In the interest of readability, we use much shorter keys than would
ordinarily be used in practice. Note that the Signature fields in
these examples do not represent the result of any real signature
calculation.
Blaze, et al. Informational [Page 25]
RFC 2704 The KeyNote Trust-Management System September 1999
1. TRADITIONAL CA / EMAIL
A. A policy unconditionally authorizing RSA key abc123 for all
actions. This essentially defers the ability to specify
policy to the holder of the secret key corresponding to
abc123:
Authorizer: "POLICY"
Licensees: "RSA:abc123"
B. A credential assertion in which RSA Key abc123 trusts either
RSA key 4401ff92 (called `Alice') or DSA key d1234f (called
`Bob') to perform actions in which the "app_domain" is
"RFC822-EMAIL", where the "address" matches the regular
expression "^.*@keynote\.research\.att\.com$". In other
words, abc123 trusts Alice and Bob as certification
authorities for the keynote.research.att.com domain.
KeyNote-Version: 2
Local-Constants: Alice="DSA:4401ff92" # Alice's key
Bob="RSA:d1234f" # Bob's key
Authorizer: "RSA:abc123"
Licensees: Alice || Bob
Conditions: (app_domain == "RFC822-EMAIL") &&
(address ~= # only applies to one domain
"^.*@keynote\\.research\\.att\\.com$");
Signature: "RSA-SHA1:213354f9"
C. A certificate credential for a specific user whose email
address is mab@keynote.research.att.com and whose name, if
present, must be "M. Blaze". The credential was issued by the
`Alice' authority (whose key is certified in Example B
above):
KeyNote-Version: 2
Authorizer: "DSA:4401ff92" # the Alice CA
Licensees: "DSA:12340987" # mab's key
Conditions: ((app_domain == "RFC822-EMAIL") &&
(name == "M. Blaze" || name == "") &&
(address == "mab@keynote.research.att.com"));
Signature: "DSA-SHA1:ab23487"
Blaze, et al. Informational [Page 26]
RFC 2704 The KeyNote Trust-Management System September 1999
D. Another certificate credential for a specific user, also
issued by the `Alice' authority. This example allows three
different keys to sign as jf@keynote.research.att.com (each
for a different cryptographic algorithm). This is, in
effect, three credentials in one:
KeyNote-Version: "2"
Authorizer: "DSA:4401ff92" # the Alice CA
Licensees: "DSA:abc991" || # jf's DSA key
"RSA:cde773" || # jf's RSA key
"BFIK:fd091a" # jf's BFIK key
Conditions: ((app_domain == "RFC822-EMAIL") &&
(name == "J. Feigenbaum" || name == "") &&
(address == "jf@keynote.research.att.com"));
Signature: "DSA-SHA1:8912aa"
Observe that under policy A and credentials B, C and D, the
following action attribute sets are accepted (they return
_MAX_TRUST):
_ACTION_AUTHORIZERS = "dsa:12340987"
app_domain = "RFC822-EMAIL"
address = "mab@keynote.research.att.com"
and
_ACTION_AUTHORIZERS = "dsa:12340987"
app_domain = "RFC822-EMAIL"
address = "mab@keynote.research.att.com"
name = "M. Blaze"
while the following are not accepted (they return
_MIN_TRUST):
_ACTION_AUTHORIZERS = "dsa:12340987"
app_domain = "RFC822-EMAIL"
address = "angelos@dsl.cis.upenn.edu"
and
_ACTION_AUTHORIZERS = "dsa:abc991"
app_domain = "RFC822-EMAIL"
address = "mab@keynote.research.att.com"
name = "M. Blaze"
and
_ACTION_AUTHORIZERS = "dsa:12340987"
app_domain = "RFC822-EMAIL"
address = "mab@keynote.research.att.com"
name = "J. Feigenbaum"
Blaze, et al. Informational [Page 27]
RFC 2704 The KeyNote Trust-Management System September 1999
2. WORKFLOW/ELECTRONIC COMMERCE
E. A policy that delegates authority for the "SPEND" application
domain to RSA key dab212 when the amount given in the
"dollars" attribute is less than 10000.
Authorizer: "POLICY"
Licensees: "RSA:dab212" # the CFO's key
Conditions: (app_domain=="SPEND") && (@dollars < 10000);
F. RSA key dab212 delegates authorization to any two signers,
from a list, one of which must be DSA key feed1234 in the
"SPEND" application when @dollars < 7500. If the amount in
@dollars is 2500 or greater, the request is approved but
logged.
KeyNote-Version: 2
Comment: This credential specifies a spending policy
Authorizer: "RSA:dab212" # the CFO
Licensees: "DSA:feed1234" && # The vice president
("RSA:abc123" || # middle manager #1
"DSA:bcd987" || # middle manager #2
"DSA:cde333" || # middle manager #3
"DSA:def975" || # middle manager #4
"DSA:978add") # middle manager #5
Conditions: (app_domain=="SPEND") # note nested clauses
-> { (@(dollars) < 2500)
-> _MAX_TRUST;
(@(dollars) < 7500)
-> "ApproveAndLog";
};
Signature: "RSA-SHA1:9867a1"
G. According to this policy, any two signers from the list of
managers will do if @(dollars) < 1000:
KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: 2-of("DSA:feed1234", # The VP
"RSA:abc123", # Middle management clones
"DSA:bcd987",
"DSA:cde333",
"DSA:def975",
"DSA:978add")
Conditions: (app_domain=="SPEND") &&
(@(dollars) < 1000);
Blaze, et al. Informational [Page 28]
RFC 2704 The KeyNote Trust-Management System September 1999
H. A credential from dab212 with a similar policy, but only one
signer is required if @(dollars) < 500. A log entry is made if
the amount is at least 100.
KeyNote-Version: 2
Comment: This one credential is equivalent to six separate
credentials, one for each VP and middle manager.
Individually, they can spend up to $500, but if
it's $100 or more, we log it.
Authorizer: "RSA:dab212" # From the CFO
Licensees: "DSA:feed1234" || # The VP
"RSA:abc123" || # The middle management clones
"DSA:bcd987" ||
"DSA:cde333" ||
"DSA:def975" ||
"DSA:978add"
Conditions: (app_domain="SPEND") # nested clauses
-> { (@(dollars) < 100) -> _MAX_TRUST;
(@(dollars) < 500) -> "ApproveAndLog";
};
Signature: "RSA-SHA1:186123"
Assume a query in which the or⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -