diff options
author | GNU Hurd wiki engine <web-hurd@gnu.org> | 2007-08-23 09:21:32 +0000 |
---|---|---|
committer | GNU Hurd wiki engine <web-hurd@gnu.org> | 2007-08-23 09:21:32 +0000 |
commit | 819f7209cf3990bfe718a0ad4b4e49d780b0479c (patch) | |
tree | fd8d82bc994eeb02f40ba097b2cf517629872844 | |
parent | 2280c34ef3c5383825785b36a472f9effb69d363 (diff) |
web commit by NealWalfield: Create.
-rw-r--r-- | hurd/authentication.mdwn | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/hurd/authentication.mdwn b/hurd/authentication.mdwn new file mode 100644 index 00000000..0d52a0ba --- /dev/null +++ b/hurd/authentication.mdwn @@ -0,0 +1,17 @@ +UIDs on the Hurd are separate from processes. A process has +[[capabilities]] designating so-called UID vectors that +are implemented by an [[auth]] server. This +makes them easily [[virtualizable]]. + +When a process wishes to gain access to a resource provided by a third +party (e.g., a file system) and that party wishes to authenticate the client +so as to implement some identity-based access control ([[IBAC]]) policy, +the latter initiates a three-way authentication handshake. The server +and client each then begin an authentication sequence with +their respective [[trust]]ed auth servers. If they have +a mutally trusted ancestor and an auth server does not abort the +transaction, then the client is delivered a new capability +naming a newly authenticated session with the server +and the server is delivered the client's designated UID vector. + +For more details, see section 2.3 of the [[HurdCritique]]. |