web commit by NealWalfield: Create.

author: GNU Hurd wiki engine <web-hurd@gnu.org> 2007-08-23 09:21:32 +0000
committer: GNU Hurd wiki engine <web-hurd@gnu.org> 2007-08-23 09:21:32 +0000
commit: 819f7209cf3990bfe718a0ad4b4e49d780b0479c (patch)
tree: fd8d82bc994eeb02f40ba097b2cf517629872844 /hurd
parent: 2280c34ef3c5383825785b36a472f9effb69d363 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/hurd/authentication.mdwn b/hurd/authentication.mdwn
new file mode 100644
index 00000000..0d52a0ba
--- /dev/null
+++ b/hurd/authentication.mdwn
@@ -0,0 +1,17 @@
+UIDs on the Hurd are separate from processes.  A process has
+[[capabilities]] designating so-called UID vectors that
+are implemented by an [[auth]] server.  This
+makes them easily [[virtualizable]].
+
+When a process wishes to gain access to a resource provided by a third
+party (e.g., a file system) and that party wishes to authenticate the client
+so as to implement some identity-based access control ([[IBAC]]) policy,
+the latter initiates a three-way authentication handshake.  The server
+and client each then begin an authentication sequence with
+their respective [[trust]]ed auth servers.  If they have
+a mutally trusted ancestor and an auth server does not abort the
+transaction, then the client is delivered a new capability
+naming a newly authenticated session with the server
+and the server is delivered the client's designated UID vector.
+
+For more details, see section 2.3 of the [[HurdCritique]].
author	GNU Hurd wiki engine <web-hurd@gnu.org>	2007-08-23 09:21:32 +0000
committer	GNU Hurd wiki engine <web-hurd@gnu.org>	2007-08-23 09:21:32 +0000
commit	819f7209cf3990bfe718a0ad4b4e49d780b0479c (patch)
tree	fd8d82bc994eeb02f40ba097b2cf517629872844 /hurd
parent	2280c34ef3c5383825785b36a472f9effb69d363 (diff)