HI Ben,
On 04.11.2016 23:17, Ben Campbell wrote:
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
... then you identify the user in the ACL and walk up the
delegation
chain.
In step 5, you have arrived at the root of the delegation tree. This
is the case, when the to_user equals the signer equals the owner of
the resources (see see Figure 1). This is also how it terminates -
the
owner of the resource is the root of the trust chain.
I'm probably being dense here, but my confusion is in the phrasing of
"the "to_user" value user name of the signer of the previously
selected
ACL item". Won't that always be true for every ACL item up the chain
after the first?
No, the selected ACL item from the previous step is the row you are
in. It basically says that the "to_user" value equals the username of
the signer. This is the "A A" case in row 4 in your example below.
This row should be in an ACL only once and the user must be the owner
of the resource, which is requested to be verified separately.
As an example, Lets say I have a delegation chain of A,B,C,D, where A
is
the owner. Would the ACL chain look like the following (in
leave-to-root
order )?
signer to_user
1 C D
2 B C
3 A B
4 A A
If so, then ACL 2 seems to have a to_user that matches the signer of
ACL
1 (the previously selected ACL), which seems to terminate early.
Again, I'm sure I'm missing something.
I believe the confusion comes from the "previously" - this is meant to
refer to the "previous step" and the actual row. We changed
"previously" to "previous step" to avoid this confusion.
I still think I'm confused. Step 5 basically says iterate over steps 3
and 4. If I'm currently looking at the ACL from the Nth iteration of 3
and 4, it seems to me that the "ACL from the previous step" is ACL N-1.
The delegation is a tree - so it's not a linear chain.
If the terminal condition is when you find an ACL where the signer and
the to_user are the same, then I you could say _that_ without getting
into "previous steps."
Guess you are right. Why don't we simplify the sentence to
"Repeat steps 3 and 4 until the "to_user" value is equal to the user
name of the signer of the ACL in the selected item." ?
Thanks,
thomas
--
Prof. Dr. Thomas C. Schmidt
° Hamburg University of Applied Sciences Berliner Tor 7 °
° Dept. Informatik, Internet Technologies Group 20099 Hamburg, Germany °
° http://www.haw-hamburg.de/inet Fon: +49-40-42875-8452 °
° http://www.informatik.haw-hamburg.de/~schmidt Fax: +49-40-42875-8409 °
_______________________________________________
P2PSIP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/p2psip
