[Documentation] [TitleIndex] [WordIndex

Policy Dissemination

This page puts forth deferent modalities of policy dissemination for access control. Policies are used to help define the resources and actions that identifies are authorized to engage. For SROS, identifies are ROS nodes and policy permissions encompass the ROS API:

To disseminate this information on what a node is allowed to preform, there are several school of thought on mater. Here we'll explore each and expand upon their strengths and weaknesses.

Certificate Embedding

Certificates, such as the X.509 standard can be used as vessels for policy constraints. Specifically, X.509 possess standardized extensions used to encode policy meta data, such that it can be singed and verified via PKI and CAs to avoid tampering of the imposed restrictions by end parties. SROS currently uses X.509 certificate and for TLS handshaking when establishing a secure network socket connection between nodes. These certificates is also used as a payload for conveying policy information to prove to the peer node it is authorized to access the requested resource with the requested action. Let us flesh out some pros and cons of this approach:

Pros

Cons

Online Arbiter

An arbiter, or centralized authority, could also be used to authorize requested exchanges. Specifically, a process that is made aware of the global policy definition could be contacted by nodes in the process of negotiating access to deliberate judgment on whether the requested resource/action is permissible by the inquiring identity. This is similar to the existing DNS like behavior of the master node in ROS1, but instead of resolving namespaces, the arbiter would resolve access control restrictions.

Pros

Cons


2020-09-12 12:26