Skip to content. | Skip to navigation

Personal tools

Navigation

You are here: Home / Wiki / Lbs-Email-20080326

Lbs-Email-20080326 

From: 	  stoller@flux.utah.edu
Subject: 	Stuff
Date: 	March 26, 2008 1:47:42 PM PDT
To: 	  geni-dev@flux.utah.edu

So, here is a little update on where I have been for the last little
while. Seems like I have spent a lot of time but not made much
progress.

* I figured out how to use the xmlsig code. This is a nice library and
  front end program (xmlsec) that can generate signatures in the
  proper format as specified by the schema. It can also verify
  signatures and also verify the certificate (chains) used to sign
  them. Very handy. This was my foray into xml schemas for real and so
  I did spend time learning that stuff. Useful.

* I then disappeared into globus. They have an implementation of
  proxy/delegation certificates that I thought we might be able to
  use. Sheesh, the source tree has 59000 files in it! Talk about
  bloat. Anyway, I found the right stuff inside it and found two
  problems; 1) the implementation allows for only two types of
  delegations; everything or nothing and 2) it uses SAML, which was
  another diversion into bloatation. After about two days of this I
  decided that I did not want to hack this code or try to separate out
  the tiny little parts we need from it. Too much pain.

* I then started thinking about the alternatives. I came up with an
  approach that looks like the following:

<foo>
<credential>
  <uuid>xxx-yyy-zzz</uuid>
  <capabilities>
    <capability>
      <capability_name>frazzle</capability_name>
      <can_delegate>1</can_delegate>
    </capability>
  </capabilities>
</credential>
<signatures>
 <signature></signature>
</signatures>
</foo>

So, a credential is a set of capabilities (with a delegation flag on
each one). Attached to that is a signature. I did not bother to
include the guts of the signature, but it includes all kinds of stuff
from the xmldsig schema, including the x509 certificate used to sign
the data. In the case above, the signature is that of a trusted entity
(Emulab) since it has not been delegated from elsewhere.

* I still have to settle on the UUID above. I guess its really a GGID,
  and in the case above it refers to the person who has the permission
  (credentials) to do whatever. I think we also need to include the
  GGID of the thing the credential refers to (GGID of the experiment,
  node, whatever). Also maybe a type or some indicator of how to look
  that GGID up (in which name server)?

* Okay, what about delegation. We have a couple of issues to worry
  about. First is that we have to be able to verify that delegations
  are valid (do not violate a previous capability that said that
  capability could not be delegated). This is a lot like verifying a
  certificate chain; start at the beginning and go through each set
  till you get to the end. Second problem is that you need to sign
  each new set of capabilities, and you have to include all the
  previous capabilities in the signature so that you have proof that
  nothing in the history has been tampered with. So what I came up for
  this:

<foo>
<credential>
  <uuid>xxx-yyy-www</uuid>
  <capabilities>
    <capability>
      <capability_name>frazzle</capability_name>
      <can_delegate>1</can_delegate>
    </capability>
  </capabilities>
  <parent>
    <credential>
     <uuid>xxx-yyy-zzz</uuid>
     <capabilities>
      <capability>
       <capability_name>frazzle</capability_name>
       <can_delegate>1</can_delegate>
      </capability>
     </capabilities>
    </credential>
  </parent>
</credential>
<signatures>
 <signature></signature>
 <signature></signature>
</signatures>
</foo>

Its maybe hard to see, but the original capability set is contained
*within* the new one (look for the "parent" tag). There are also two
signatures, the original signature and a new signature that covers the
entire blob of data. To verify the above, the signatures have to be
valid, the certificate chain has to be valid, and the root set of
capabilities has to be signed by a trusted entity. This proves that
the leaf set of capabilities is valid if it has not been altered in
the middle and it conforms to the delegation rules.

* My next step was to take cue from Rob and generate a schema for it
  (like he has done with the new ptop/to/vtop stuff for assign). Well,
  I've never done this before either, and after an amazing amount of
  screwing around, I actually came up with one! See the attached file
  if you really care. The nice thing about this schema stuff is that
  you can use the libxml2 package (via perl) to verify that an xml
  file adheres to the schema, before you try and mess with it. Saves
  on writing your own debugging code. The same library allows you to
  access parts of the xml structure after it is parsed, although its
  not as simple as XML:Simple makes it.

So I will stop here and let Rob (or anyone else who is still awake by
now) comment.