The file access-rule.n3
declares the website
policy:
if a request is supported by a key, and there is a certificate -- signed itself with k2 -- which says k is a good request key, and that there is some other certificate, signed with the master key, that says that k2 is a member key, then the request is a good request.
The other details of what "supported" means are below.
this log:forAll :d, :F, :G, :k, :k2, :k3, :kp, :x, :request, :sig, :str, :y , :z , :q . # The rule of access. # # acc:requestSupportedBy means that it correctly claimed to be # signed by the given key. { :request a acc:GoodRequest } is log:implies of { :request acc:forDocument :d; acc:requestSupportedBy :k. [] acc:certSupportedBy :k2; # Certificate log:includes { :k a acc:RequestKey }. [] acc:certSupportedBy [a acc:MasterKey]; # Certificate log:includes { :k2 a acc:MemberKey }. }. # What is a Master key? # # (we could just put in the text here) { <access-master.public> log:semantics [ log:includes {:x a acc:MasterKey}] } log:implies {:x a acc:MasterKey}. # What do we belive is a request? # We trust the command line in defining what is a request. { "1"!os:argv!os:baseAbsolute^log:uri log:semantics :F. :F log:includes { :str acc:endorsement[acc:signature :sig; acc:key :k]}. :k crypto:verify ([is crypto:md5 of :str] :sig). :str log:parsedAsN3:G } log:implies { :G acc:requestSupportedBy :k }. # What do we believe from a signed request? # - what it says it is asking for. # - what it quotes as credentials # It could actually enclose a copy of the credentials inline, # but here we use the web. A credential is a document which # provides evidence in support of the request. {:G acc:requestSupportedBy :k; log:includes {:G acc:forDocument :d}} => {:G acc:forDocument :d}. {:G acc:requestSupportedBy :k; log:includes {:G acc:credential :d}} => {:G acc:credential :d}. # What do we belive from a signed credential. # # In this case, just note that a key supports the signed formula. # The fact of this support is used in the access rule above. # We don't actually beleive everything the certificate says. { [] acc:credential [ log:semantics :F ]. :F log:includes { :str acc:endorsement[acc:signature :sig; acc:key :k]}. :k crypto:verify ([is crypto:md5 of :str] :sig). :str log:parsedAsN3 :G } log:implies { :G acc:certSupportedBy :k }.
The important thing is that we are really trusting very specific information from different sources.
14 of 18 |