[Auth]The trust triangle

dotgnu-auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Auth]The trust triangle

From:	Peter Minten
Subject:	[Auth]The trust triangle
Date:	Sun, 17 Nov 2002 17:42:11 +0100

Hi,

I did some brain work on the trust triangle problem (the user, VI server and
webservice don't trust eachother at the beginning but they need to trust
eachother after login), but I believe I've finally got it (probably reinvented
the wheel here, but who cares :-). The following diagram applies:

       3                                   4
  /---------> +------------------+ ------------------\
  |           |    webservice    |                   |
  |   /------ +------------------+ <-------\         |
  |   |   5                            6   |         |
  |   |                                    |         |
  |   V                1                   |         V
+--------+ ----------------------------> +-------------+
|  user  |                               |  VI server  |
+--------+ <---------------------------- +-------------+
                       2

The arrows show who trusts who (a --> b <=> a trusts b).

The procedure is this:

1. The user has the public key of the VI server stored locally (or it can fetch
the key from a trusted third party). The user sends a challenge to the VI server
(like 2 numbers which have to be multiplied), the VI server responds and
encrypts the response with it's private key. The user decrypts using the VI
server's public key. At the right response the user trusts the VI server.

2. The authorization system knows the users public key (which is stored in the
VI) and uses that to challenge the user like in step 1.

3. The user has the public key of the webservice stored locally (or fetched from
a trusted third party). It uses this to challenge the webservice.

4. At registration the user has given some info including the public key of it's
VI server. The webservice uses this to challenge the VI server.

5. Since the webservice trusts the VI server and the VI server trusts the user
the webservice trusts the user.

6. Since the VI server trusts the user and the user trusts the webservice the VI
server trusts the webservice.

There you have it, everybody trusts everybody.

Greetings,

Peter

[Prev in Thread]

Current Thread

[Next in Thread]

[Auth]The trust triangle, Peter Minten <=

Prev by Date: [Auth]Virtual Identities: standards work (was Re: [DotGNU]Virtual Identity System)
Previous by thread: [Auth]Virtual Identities: standards work (was Re: [DotGNU]Virtual Identity System)
Index(es):
- Date
- Thread