Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delegating Authority via Sigchain Claims representing Trust #818

Open
tegefaulkes opened this issue Oct 1, 2024 · 1 comment
Open

Delegating Authority via Sigchain Claims representing Trust #818

tegefaulkes opened this issue Oct 1, 2024 · 1 comment
Labels
development Standard development

Comments

@tegefaulkes
Copy link
Contributor

tegefaulkes commented Oct 1, 2024
edited
Loading

Specification

This is a re-creation of the previous issue #784. It's being re-created here just to have an issue tracking the work. Converting the previous issue to a discussion caused problems with tracking the issue in linear.

With claims on a Sigchain being the basis for authority delegation. We need a mechanism for creating these claims on the Sigchains of nodes we delegate authority to. There are two kinds of this, the pull and push flow. In both cases a claim is minted and added to the Sigchain. The core of this is creating a standard CSR procedure for creating and adding these claims to the Sigchain.

These claims will be statically defined within the claims domain and the structure will be know ahead of time. In the future the structure can be dynamically defined but that is a problem to be solved by the capability system. In the meantime the static definitions are fine.

There are some aspects to the procedure.

  1. Authenticating the request.
  2. Creating, signing and inserting the claim into the Sigchain.

The authentication proves that you are allowed to get this claim. There will be a few methods of authentication depending on our needs. It will need discussion on what we want to support but I think we'll want to support multiple methods.

Via a token that specifies this node is allowed.
A short lived or one use bearer token that specifies that the holder is allowed.
A local whitelist on the node creating the claim.
An external request to PKE allowing the claim.
Check with an external authority if the claim is allowed.
Allowing based on policy.
Then the claim needs to be created and sent over to be added to the Sigchain. This claim can be cross signed but the only requirement is that the issuer of the claim needs to sign it. We need to discuss weather the claim is also included on the Sigchain of the issuer as well.

There will be two styles, push and pull. The Pull is the normal style where the subject node requests the claim. For this style subject implicitly trusts the issuer. But the subject is required to be authenticated before a claim can be issued. Conversely for the push flow the authentication is implicit and known ahead of time. But the subject node needs to explicitly trust the issuer. The push flow will be important and configuring the PKE org seed nodes.

image

Additional context

There is an ongoing discussion for this at #791

Tasks

  1. This need more discussion so we need to go over the details.
@tegefaulkes tegefaulkes added the development Standard development label Oct 1, 2024
@linear Linear
Copy link

linear bot commented Oct 1, 2024

ENG-417 Delegating Authority via Sigchain Claims representing Trust

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
development Standard development
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tegefaulkes