You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a re-creation of the previous issue #784. It's being re-created here just to have an issue tracking the work. Converting the previous issue to a discussion caused problems with tracking the issue in linear.
With claims on a Sigchain being the basis for authority delegation. We need a mechanism for creating these claims on the Sigchains of nodes we delegate authority to. There are two kinds of this, the pull and push flow. In both cases a claim is minted and added to the Sigchain. The core of this is creating a standard CSR procedure for creating and adding these claims to the Sigchain.
These claims will be statically defined within the claims domain and the structure will be know ahead of time. In the future the structure can be dynamically defined but that is a problem to be solved by the capability system. In the meantime the static definitions are fine.
There are some aspects to the procedure.
Authenticating the request.
Creating, signing and inserting the claim into the Sigchain.
The authentication proves that you are allowed to get this claim. There will be a few methods of authentication depending on our needs. It will need discussion on what we want to support but I think we'll want to support multiple methods.
Via a token that specifies this node is allowed.
A short lived or one use bearer token that specifies that the holder is allowed.
A local whitelist on the node creating the claim.
An external request to PKE allowing the claim.
Check with an external authority if the claim is allowed.
Allowing based on policy.
Then the claim needs to be created and sent over to be added to the Sigchain. This claim can be cross signed but the only requirement is that the issuer of the claim needs to sign it. We need to discuss weather the claim is also included on the Sigchain of the issuer as well.
There will be two styles, push and pull. The Pull is the normal style where the subject node requests the claim. For this style subject implicitly trusts the issuer. But the subject is required to be authenticated before a claim can be issued. Conversely for the push flow the authentication is implicit and known ahead of time. But the subject node needs to explicitly trust the issuer. The push flow will be important and configuring the PKE org seed nodes.
Specification
This is a re-creation of the previous issue #784. It's being re-created here just to have an issue tracking the work. Converting the previous issue to a discussion caused problems with tracking the issue in linear.
With claims on a Sigchain being the basis for authority delegation. We need a mechanism for creating these claims on the Sigchains of nodes we delegate authority to. There are two kinds of this, the pull and push flow. In both cases a claim is minted and added to the Sigchain. The core of this is creating a standard CSR procedure for creating and adding these claims to the Sigchain.
These claims will be statically defined within the claims domain and the structure will be know ahead of time. In the future the structure can be dynamically defined but that is a problem to be solved by the capability system. In the meantime the static definitions are fine.
There are some aspects to the procedure.
The authentication proves that you are allowed to get this claim. There will be a few methods of authentication depending on our needs. It will need discussion on what we want to support but I think we'll want to support multiple methods.
Via a token that specifies this node is allowed.
A short lived or one use bearer token that specifies that the holder is allowed.
A local whitelist on the node creating the claim.
An external request to PKE allowing the claim.
Check with an external authority if the claim is allowed.
Allowing based on policy.
Then the claim needs to be created and sent over to be added to the Sigchain. This claim can be cross signed but the only requirement is that the issuer of the claim needs to sign it. We need to discuss weather the claim is also included on the Sigchain of the issuer as well.
There will be two styles, push and pull. The Pull is the normal style where the subject node requests the claim. For this style subject implicitly trusts the issuer. But the subject is required to be authenticated before a claim can be issued. Conversely for the push flow the authentication is implicit and known ahead of time. But the subject node needs to explicitly trust the issuer. The push flow will be important and configuring the PKE org seed nodes.
Additional context
There is an ongoing discussion for this at #791
Tasks
The text was updated successfully, but these errors were encountered: