Information Technology Reference
In-Depth Information
Table 1.
Interpretation of CSIv2 requests
Connection Transport
Invocation
Carol's
Method
Principal
CA
IA Principal
Interpretation
TCP/IP
Default
None
None Default
Default says r
TCP/IP
Default
(Clyde,PW) None
Clyde
DefaultsaysClydesaysr
SSL
Tony
None
None
Tony
Tony says r
SSL
Tony
(Clyde,PW) None
Clyde
Tony says Clyde says r
TCP/IP
Default
None
Alice
Alice
Default says Alice says r
TCP/IP
Default
(Clyde, PW) Alice
Alice
Default says Clyde says Alice says r
SSL
Tony
None
Alice
Alice
Tony says Alice says r
SSL
Tony
(Clyde, PW) Alice
Alice
Tony says Clyde says Alice says r
TCP/IP
Default
None
Anon
Anon
Default says Anon says r
TCP/IP
Default
(Clyde, PW) Anon
Anon
Default says Clyde says Anon says r
SSL
Tony
None
Anon
Anon
Tony says Anon says r
SSL
Tony
(Clyde, PW) Anon
Anon
Tony says Clyde says Anon says r
The CSIv2 authors have not yet standardized the interpretation of the informa-
tion contained in the
SA
component, and thus we focus our attention on the
CA
and
IA
components for now. In total, there are six possible pairs
to
consider. The
CA
component may either be empty (in which case no principal
is associated with
CA
) or contain a userid/password pair
CA,IA
(in which
case the principal Clyde is associated with
CA
). There are three possibilities for
the
IA
component: it may be empty, or it may contain an identity token for a
particular principal Alice or for the Anonymous principal.
When the target provider Carol receives a request
r
with an associated SAS
data structure, she always interprets it relative to the same ordering on princi-
pals: the transport principal (either Default or Tony) first, followed by (if present)
the principal associated with
CA
(Clyde), followed by (if present) the principal
associated with
IA
(Alice or Anon). Thus, if an SSL request
r
identifies Clyde
as the
CA
principal and Alice as the
IA
principal, then Carol interprets this
request as
Clyde
,P
Tony
says
(
Clyde
says
(
Alice
says
r
))
,
and she considers Alice to be the
invocation principal
(i.e., client). In contrast,
a TCP/IP request
r
that identifies Clyde as the
CA
principal and contains no
IA
component is interpreted as
says
says
r
)
,
Default
(
Clyde
and Clyde is the invocation principal. Table 1 enumerates the twelve cases for
requests that are made in association with the SAS data structure.
The fourth case in the table - and the associated statement
Tony
Clyde
says
r
- can be used to describe a situation in which a bank customer (here,
Clyde) connects with a web server to perform an online-banking operation. The
web server passes on Clyde's username, password, and request
r
to an online
banking server (Carol) over SSL; because the request is transmitted over SSL,
Carol authenticates the web server as Tony, rather than identifying the web
server as Default. The CSIv2 protocol specifies how the information is to be
interpreted by the target principal.
says