Internet Engineering Task Force (IETF) A. Knauf Request for Comments: 8076 T. Schmidt, Ed. Category: Standards Track HAW Hamburg ISSN: 2070-1721 G. Hege daviko GmbH M. Waehlisch link-lab & FU Berlin March 2017
Internet Engineering Task Force (IETF) A. Knauf Request for Comments: 8076 T. Schmidt, Ed. Category: Standards Track HAW Hamburg ISSN: 2070-1721 G. Hege daviko GmbH M. Waehlisch link-lab & FU Berlin March 2017
A Usage for Shared Resources in RELOAD (ShaRe)
重新加载(共享)中共享资源的使用情况
Abstract
摘要
This document defines a REsource LOcation And Discovery (RELOAD) Usage for managing shared write access to RELOAD Resources. Shared Resources in RELOAD (ShaRe) form a basic primitive for enabling various coordination and notification schemes among distributed peers. Access in ShaRe is controlled by a hierarchical trust delegation scheme maintained within an access list. A new USER-CHAIN-ACL access policy allows authorized peers to write a Shared Resource without owning its corresponding certificate. This specification also adds mechanisms to store Resources with a variable name that is useful whenever peer-independent rendezvous processes are required.
本文档定义了资源位置和发现(重新加载)用法,用于管理用于重新加载资源的共享写入访问。RELOAD(ShaRe)中的共享资源构成了一个基本原语,用于支持分布式对等点之间的各种协调和通知方案。共享中的访问由访问列表中维护的分层信任委派方案控制。新的USER-CHAIN-ACL访问策略允许授权的对等方在不拥有相应证书的情况下写入共享资源。该规范还添加了使用变量名存储资源的机制,该变量名在需要对等独立会合过程时非常有用。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8076.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8076.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Shared Resources in RELOAD . . . . . . . . . . . . . . . . . 5 3.1. Mechanisms for Isolating Stored Data . . . . . . . . . . 6 4. Access Control List Definition . . . . . . . . . . . . . . . 7 4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Data Structure . . . . . . . . . . . . . . . . . . . . . 9 5. Extension for Variable Resource Names . . . . . . . . . . . . 10 5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 10 5.2. Data Structure . . . . . . . . . . . . . . . . . . . . . 11 5.3. Overlay Configuration Document Extension . . . . . . . . 12 6. Access Control to Shared Resources . . . . . . . . . . . . . 13 6.1. Granting Write Access . . . . . . . . . . . . . . . . . . 13 6.2. Revoking Write Access . . . . . . . . . . . . . . . . . . 14 6.3. Validating Write Access through an ACL . . . . . . . . . 14 6.4. Operations of Storing Peers . . . . . . . . . . . . . . . 15 6.5. Operations of Accessing Peers . . . . . . . . . . . . . . 16 6.6. USER-CHAIN-ACL Access Policy . . . . . . . . . . . . . . 16 7. ACCESS-CONTROL-LIST Kind Definition . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8.1. Resource Exhaustion . . . . . . . . . . . . . . . . . . . 17 8.2. Malicious or Misbehaving Storing Peer . . . . . . . . . . 18 8.3. Trust Delegation to a Malicious or Misbehaving Peer . . . 18 8.4. Privacy Issues . . . . . . . . . . . . . . . . . . . . . 18 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 9.1. Access Control Policy . . . . . . . . . . . . . . . . . . 19 9.2. Data Kind-ID . . . . . . . . . . . . . . . . . . . . . . 19 9.3. XML Namespace Registration . . . . . . . . . . . . . . . 19 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 10.2. Informative References . . . . . . . . . . . . . . . . . 20 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Shared Resources in RELOAD . . . . . . . . . . . . . . . . . 5 3.1. Mechanisms for Isolating Stored Data . . . . . . . . . . 6 4. Access Control List Definition . . . . . . . . . . . . . . . 7 4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Data Structure . . . . . . . . . . . . . . . . . . . . . 9 5. Extension for Variable Resource Names . . . . . . . . . . . . 10 5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 10 5.2. Data Structure . . . . . . . . . . . . . . . . . . . . . 11 5.3. Overlay Configuration Document Extension . . . . . . . . 12 6. Access Control to Shared Resources . . . . . . . . . . . . . 13 6.1. Granting Write Access . . . . . . . . . . . . . . . . . . 13 6.2. Revoking Write Access . . . . . . . . . . . . . . . . . . 14 6.3. Validating Write Access through an ACL . . . . . . . . . 14 6.4. Operations of Storing Peers . . . . . . . . . . . . . . . 15 6.5. Operations of Accessing Peers . . . . . . . . . . . . . . 16 6.6. USER-CHAIN-ACL Access Policy . . . . . . . . . . . . . . 16 7. ACCESS-CONTROL-LIST Kind Definition . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8.1. Resource Exhaustion . . . . . . . . . . . . . . . . . . . 17 8.2. Malicious or Misbehaving Storing Peer . . . . . . . . . . 18 8.3. Trust Delegation to a Malicious or Misbehaving Peer . . . 18 8.4. Privacy Issues . . . . . . . . . . . . . . . . . . . . . 18 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 9.1. Access Control Policy . . . . . . . . . . . . . . . . . . 19 9.2. Data Kind-ID . . . . . . . . . . . . . . . . . . . . . . 19 9.3. XML Namespace Registration . . . . . . . . . . . . . . . 19 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 10.2. Informative References . . . . . . . . . . . . . . . . . 20 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
[RFC6940] defines the base protocol for REsource LOcation And Discovery (RELOAD), which allows for application-specific extensions by Usages. The present document defines such a RELOAD Usage for managing shared write access to RELOAD Resources and a mechanism to store Resources with variable names. The Usage for Shared Resources in RELOAD (ShaRe) enables overlay users to share their exclusive write access to specific Resource/Kind pairs with others. Shared Resources form a basic primitive for enabling various coordination and notification schemes among distributed peers. Write permission is controlled by an Access Control List (ACL) Kind that maintains a chain of Authorized Peers for a particular Shared Resource. A newly defined USER-CHAIN-ACL access control policy enables shared write access in RELOAD.
[RFC6940]定义了资源定位和发现(重新加载)的基本协议,该协议允许按用途进行特定于应用程序的扩展。本文档定义了用于管理共享写入访问以重新加载资源的重新加载用法,以及用于存储具有变量名称的资源的机制。重载(共享)中共享资源的使用使覆盖用户能够与其他用户共享其对特定资源/种类对的独占写入访问权。共享资源构成了一个基本原语,用于支持分布式对等点之间的各种协调和通知方案。写入权限由一种访问控制列表(ACL)控制,ACL为特定共享资源维护一个授权对等链。新定义的USER-CHAIN-ACL访问控制策略在重新加载时启用共享写入访问。
The Usage for Shared Resources in RELOAD is designed for jointly coordinated group applications among distributed peers (e.g., third-party registration, see [RFC7904], or distributed conferencing). Of particular interest are rendezvous processes, where a single identifier is linked to multiple, dynamic instances of a distributed cooperative service. Shared write access is based on a trust delegation mechanism that transfers the authorization to write a specific Kind data by storing logical Access Control Lists. An ACL contains the ID of the Kind to be shared and contains trust delegations from one authorized to another (previously unauthorized) user.
RELOAD中共享资源的使用是为分布式对等方之间的联合协调组应用程序而设计的(例如,第三方注册,请参见[RFC7904]或分布式会议)。特别令人感兴趣的是集合过程,其中单个标识符链接到分布式协作服务的多个动态实例。共享写访问基于信任委托机制,该机制通过存储逻辑访问控制列表来传输写入特定种类数据的授权。ACL包含要共享的ID类型,并包含从一个授权用户到另一个(以前未授权的)用户的信任委托。
Shared write access augments the RELOAD security model, which is based on the restriction that peers are only allowed to write resources at a small set of well-defined locations (Resource-IDs) in the overlay. Using the standard access control rules in RELOAD, these locations are bound to the username or Node-ID in the peer's certificate. This document extends the base policies to enable a controlled write access for multiple users to a common Resource-ID.
共享写访问增强了重新加载安全模型,该模型基于这样的限制,即对等方只能在覆盖中的一小部分定义良好的位置(资源ID)写入资源。使用RELOAD中的标准访问控制规则,这些位置将绑定到对等方证书中的用户名或节点ID。本文档扩展了基本策略,允许多个用户对公共资源ID进行受控写访问。
Additionally, this specification defines an optional mechanism to store Resources with a variable Resource Name. It enables the storage of Resources whose name complies to a specific pattern. Definition of the pattern is arbitrary, but it must contain the username of the Resource creator.
此外,该规范还定义了一种可选机制来存储具有可变资源名称的资源。它允许存储名称符合特定模式的资源。模式的定义是任意的,但它必须包含资源创建者的用户名。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
This document uses the terminology and definitions from the RELOAD base [RFC6940] and [RFC7890], in particular the RELOAD Usage, Resource, and Kind. Additionally, the following terms are used:
本文档使用重新加载库[RFC6940]和[RFC7890]中的术语和定义,特别是重新加载的使用、资源和种类。此外,还使用以下术语:
Shared Resource: The term "Shared Resource" in this document defines a RELOAD Resource with its associated Kinds that can be written or overwritten by multiple RELOAD users following the specifications in this document.
共享资源:本文档中的术语“共享资源”定义了可由多个重新加载用户按照本文档中的规范写入或覆盖的重新加载资源及其相关类型。
Access Control List: The term "Access Control List" in this document defines a logical list of RELOAD users allowed to write a specific RELOAD Resource/Kind pair by following the specifications in this document. The list items are stored as Access Control List Kinds that map trust delegations from user A to user B, where A is allowed to write a Shared Resource and the Access Control List, while B is a user that obtains write access to specified Kinds from A.
访问控制列表:本文档中的术语“访问控制列表”定义了允许按照本文档中的规范写入特定重新加载资源/种类对的重新加载用户的逻辑列表。列表项存储为访问控制列表种类,这些种类将信任委托从用户A映射到用户B,其中允许A写入共享资源和访问控制列表,而B是从A获得对指定种类的写入访问权限的用户。
Resource Owner: The term "Resource Owner" in this document defines a RELOAD peer that initially stored a Resource to be shared. The Resource Owner possesses the RELOAD certificate that grants write access to a specific Resource/Kind pair using the RELOAD certificate-based access control policies.
资源所有者:本文档中的术语“资源所有者”定义了一个重新加载的对等方,该对等方最初存储了要共享的资源。资源所有者拥有重载证书,该证书使用基于重载证书的访问控制策略授予对特定资源/种类对的写访问权。
Authorized Peer: The term "Authorized Peer" in this document defines a RELOAD peer that was granted write access to a Shared Resource by permission of the Resource Owner or another Authorized Peer.
授权对等体:本文档中的术语“授权对等体”定义了一个重载对等体,该重载对等体通过资源所有者或另一个授权对等体的权限被授予对共享资源的写访问权。
A RELOAD user that owns a certificate for writing at a specific overlay location can maintain one or more RELOAD Kinds that are designated for a non-exclusive write access shared with other RELOAD users. The mechanism to share those Resource/Kind pairs with a group of users consists of two basic steps:
在特定覆盖位置拥有写入证书的重新加载用户可以维护一个或多个重新加载类型,这些重新加载类型指定用于与其他重新加载用户共享的非独占写入访问。与一组用户共享这些资源/种类对的机制包括两个基本步骤:
1. Storage of the Resource/Kind pairs to be shared.
1. 要共享的资源/种类对的存储。
2. Storage of an Access Control List (ACL) associated with those Kinds.
2. 存储与这些类型关联的访问控制列表(ACL)。
ACLs are created by the Resource Owner and contain ACL items, each delegating the permission of writing the shared Kind to a specific user called the "Authorized Peer". For each shared Kind data, its Resource owner stores a root item that initiates an Access Control List. Trust delegation to the Authorized Peer can include the right to further delegate the write permission, enabling a tree of trust delegations with the Resource Owner as trust anchor at its root.
ACL由资源所有者创建并包含ACL项,每个ACL项都将写入共享种类的权限委托给称为“授权对等方”的特定用户。对于每个共享种类数据,其资源所有者存储一个根项,该根项启动访问控制列表。对授权对等方的信任委派可以包括进一步委派写入权限的权利,从而启用一个信任委派树,在其根目录中将资源所有者作为信任锚点。
The Resource/Kind pair to be shared can be any RELOAD Kind that complies to the following specifications:
要共享的资源/种类对可以是符合以下规范的任何重新加载种类:
Isolated Data Storage: To prevent concurrent writing from race conditions, each data item stored within a Shared Resource SHALL be exclusively maintained by the RELOAD user who created it. Hence, Usages that allow the storage of Shared Resources are REQUIRED to use either the array or dictionary data model and apply additional mechanisms for isolating data as described in Section 3.1.
隔离数据存储:为了防止竞争条件下的并发写入,存储在共享资源中的每个数据项都应由创建它的重新加载用户专门维护。因此,如第3.1节所述,允许存储共享资源的使用需要使用数组或字典数据模型,并应用额外的机制来隔离数据。
Access Control Policy: To ensure write access to Shared Resource by Authorized Peers, each Usage MUST use the USER-CHAIN-ACL access policy as described in Section 6.6.
访问控制策略:为确保授权对等方对共享资源的写访问,每次使用都必须使用第6.6节所述的USER-CHAIN-ACL访问策略。
Resource Name Extension: To enable Shared Resources to be stored using a variable resource name, this document defines an optional ResourceNameExtension structure. It contains the Resource Name of the Kind data to be stored and allows any receiver of a shared data to validate whether the Resource Name hashes to the Resource-ID. The ResourceNameExtension is made optional by configuration. The ResourceNameExtension field is only present in the Kind data structure when configured in the corresponding kind-block of the overlay configuration document (for more details, see Section 5.3). If the configuration allows variable resource names, a Kind using the USER-CHAIN-ACL policy MUST use the ResourceNameExtension as the initial field within the Kind data structure definition. Otherwise, the Kind data structure does not contain the ResourceNameExtension structure.
资源名称扩展:为了使用可变资源名称存储共享资源,本文档定义了可选的ResourceNameExtension结构。它包含要存储的种类数据的资源名称,并允许共享数据的任何接收器验证资源名称是否散列到Resource-ID。ResourceNameExtension通过配置变得可选。ResourceNameExtension字段仅在覆盖配置文档的相应种类块中配置时才出现在种类数据结构中(有关更多详细信息,请参阅第5.3节)。如果配置允许可变资源名称,则使用USER-CHAIN-ACL策略的种类必须使用ResourceNameExtension作为种类数据结构定义中的初始字段。否则,种类数据结构不包含ResourceNameExtension结构。
This section defines mechanisms to avoid race conditions while concurrently writing an array or dictionary of a Shared Resource.
本节定义了在并发编写共享资源的数组或字典时避免竞争条件的机制。
If a dictionary is used in the Shared Resource, the dictionary key MUST be the Node-ID of the certificate that will be used to sign the stored data. Thus, data access is bound to the unique ID holder, and write concurrency does not occur.
如果在共享资源中使用字典,则字典密钥必须是将用于对存储数据进行签名的证书的节点ID。因此,数据访问绑定到唯一ID持有者,并且不会发生写并发。
If the data model of the Shared Resource is an array, each Authorized Peer that chooses to write data SHALL obtain its exclusive range of the array indices. The following algorithm will generate an array indexing scheme that avoids collisions:
如果共享资源的数据模型是数组,则选择写入数据的每个授权对等方应获得其数组索引的独占范围。以下算法将生成避免冲突的数组索引方案:
1. Obtain the Node-ID of the certificate that will be used to sign the stored data.
1. 获取将用于对存储数据进行签名的证书的节点ID。
2. Take the least significant 24 bits of that Node-ID to prefix the array index.
2. 取该节点ID的最低有效24位作为数组索引的前缀。
3. Append an 8-bit individual index value to those 24 bits of the Node-ID.
3. 将一个8位的单独索引值附加到Node-ID的24位。
The resulting 32-bit long integer MUST be used as the index for storing an array entry in a Shared Resource. The 24 bits of the Node-ID serve as a collision-resistant identifier. The 8-bit individual index remains under the control of a single Peer and can be incremented individually for further array entries. In total, each Peer can generate 256 distinct entries for application-specific use.
生成的32位长整数必须用作在共享资源中存储数组项的索引。节点ID的24位用作抗冲突标识符。8位单独索引仍在单个对等方的控制下,并且可以为进一步的数组条目单独递增。总的来说,每个对等方可以为特定于应用程序的使用生成256个不同的条目。
The mechanism to create the array index inherits collision-resistance from the overlay hash function in use (e.g., SHA-1). It is designed to work reliably for small sizes of groups as applicable to resource sharing. In the rare event of a collision, the Storing Peer will refuse to (over-)write the requested array index and protect indexing integrity as defined in Section 6.1. A Peer could rejoin the overlay with a different Node-ID in such a case.
创建数组索引的机制继承了使用中的覆盖哈希函数(例如SHA-1)的抗冲突性。它被设计为适用于资源共享的小规模组的可靠工作。在罕见的冲突事件中,存储对等方将拒绝(过度)写入请求的数组索引,并保护第6.1节中定义的索引完整性。在这种情况下,对等方可以使用不同的节点ID重新加入覆盖。
An Access Control List (ACL) is a (self-managed) Shared Resource that contains a list of AccessControlListItem structures as defined in Section 4.2. Each entry delegates write access for a specific Kind data to a single RELOAD user. An ACL enables the RELOAD user who is authorized to write a specific Resource-ID to delegate his exclusive write access to a specific Kind to further users of the same RELOAD overlay. Therefore, each Access Control List data structure carries the information about who obtains write access, the Kind-ID of the Resource to be shared, and whether delegation includes write access to the ACL itself. The latter condition grants the right to delegate write access further for the Authorized Peer. Access Control Lists are stored at the same overlay location as the Shared Resource and use the RELOAD array data model. They are initially created by the Resource Owner.
访问控制列表(ACL)是一种(自我管理的)共享资源,包含第4.2节中定义的AccessControlListItem结构列表。每个条目都将特定种类数据的写入权限委托给单个重新加载用户。ACL允许有权写入特定资源ID的重新加载用户将其对特定类型的独占写入权限委托给具有相同重新加载覆盖的其他用户。因此,每个访问控制列表数据结构携带关于谁获得写访问权、要共享的资源的种类ID以及委托是否包括对ACL本身的写访问权的信息。后一个条件授予授权对等方进一步委托写访问的权利。访问控制列表存储在与共享资源相同的覆盖位置,并使用重新加载阵列数据模型。它们最初由资源所有者创建。
Figure 1 shows an example of an Access Control List. We omit the res_name_ext field to simplify illustration. The array entry at index 0x123abc01 displays the initial creation of an ACL for a Shared Resource of Kind-ID 1234 at the same Resource-ID. It represents the root item of the trust delegation tree for this shared RELOAD Kind. The root entry MUST contain the username of the Resource owner in the "to_user" field and can only be written by the owner of the public key certificate associated with this Resource-ID. The allow_delegation (ad) flag for a root ACL item is set to 1 by default. The array index is generated by using the mechanism for isolating stored data as described in Section 3.1. Hence, the most significant 24 bits of the array index (0x123abc) are the least significant 24 bits of the Node-ID of the Resource Owner.
图1显示了一个访问控制列表的示例。为了简化说明,我们省略了res_name_ext字段。索引0x123abc01处的数组项显示在同一资源ID处为ID为1234的共享资源创建ACL的初始过程。它表示此共享资源类型的信任委派树的根项。根条目必须在“to_user”字段中包含资源所有者的用户名,并且只能由与此资源ID关联的公钥证书的所有者写入。根ACL项的allow_delegation(ad)标志默认设置为1。如第3.1节所述,通过使用隔离存储数据的机制生成数组索引。因此,数组索引的最高有效24位(0x123abc)是资源所有者的节点ID的最低有效24位。
The array item at index 0x123abc02 represents the first trust delegation to an Authorized Peer that is thus permitted to write to the Shared Resource of Kind-ID 1234. Additionally, the Authorized peer Alice is also granted write access to the ACL as indicated by the allow_delegation flag (ad) set to 1. This configuration authorizes Alice to store further trust delegations to the Shared Resource, i.e., add items to the ACL. On the contrary, index 0x456def01 illustrates trust delegation for Kind-ID 1234, in which the Authorized Peer Bob is not allowed to grant access to further peers (ad = 0). Each Authorized Peer signs its ACL items by using its own signer identity along with its own private key. This allows other peers to validate the origin of an ACL item and makes ownership transparent.
索引0x123abc02处的数组项表示对授权对等方的第一次信任委托,因此允许该对等方写入种类ID为1234的共享资源。此外,授权对等Alice还被授予对ACL的写访问权,如设置为1的allow_delegation flag(ad)所示。此配置授权Alice存储对共享资源的进一步信任委托,即向ACL添加项。相反,索引0x456def01说明了种类ID 1234的信任委托,其中授权对等方Bob不允许向其他对等方授予访问权限(ad=0)。每个授权对等方通过使用自己的签名者身份和私钥对其ACL项进行签名。这允许其他对等方验证ACL项的来源,并使所有权透明。
To manage Shared Resource access of multiple Kinds at a single location, the Resource Owner can create new ACL entries that refer to another Kind-ID as shown in array entry index 0x123abc03. Note that overwriting existing items in an Access Control List with a change in the Kind-ID revokes all trust delegations in the corresponding subtree (see Section 6.2). Authorized Peers are only enabled to overwrite existing ACL item they own. The Resource Owner is allowed to overwrite any existing ACL item, but should be aware of its consequences on the trust delegation chain.
要在单个位置管理多个种类的共享资源访问,资源所有者可以创建引用另一个种类ID的新ACL条目,如数组条目索引0x123abc03所示。请注意,使用种类ID的更改覆盖访问控制列表中的现有项将撤销相应子树中的所有信任委派(请参见第6.2节)。授权对等方只能覆盖其拥有的现有ACL项。允许资源所有者覆盖任何现有ACL项,但应注意其对信任委派链的影响。
+------------------------------------------------------+ | Access Control List | +-----------+------------------------------+-----------+ | #Index | Array Entries | signed by | +-----------+------------------------------+-----------+ | 123abc01 | to_user:Owner Kind:1234 ad:1 | Owner | +-----------+------------------------------+-----------+ | 123abc02 | to_user:Alice Kind:1234 ad:1 | Owner | +-----------+------------------------------+-----------+ | 123abc03 | to_user:Owner Kind:4321 ad:1 | Owner | +-----------+------------------------------+-----------+ | 123abc04 | to_user:Carol Kind:4321 ad:0 | Owner | +-----------+------------------------------+-----------+ | ... | ... | ... | +-----------+------------------------------+-----------+ | 456def01 | to_user:Bob Kind:1234 ad:0 | Alice | +-----------+------------------------------+-----------+ | ... | ... | ... | +-----------+------------------------------+-----------+
+------------------------------------------------------+ | Access Control List | +-----------+------------------------------+-----------+ | #Index | Array Entries | signed by | +-----------+------------------------------+-----------+ | 123abc01 | to_user:Owner Kind:1234 ad:1 | Owner | +-----------+------------------------------+-----------+ | 123abc02 | to_user:Alice Kind:1234 ad:1 | Owner | +-----------+------------------------------+-----------+ | 123abc03 | to_user:Owner Kind:4321 ad:1 | Owner | +-----------+------------------------------+-----------+ | 123abc04 | to_user:Carol Kind:4321 ad:0 | Owner | +-----------+------------------------------+-----------+ | ... | ... | ... | +-----------+------------------------------+-----------+ | 456def01 | to_user:Bob Kind:1234 ad:0 | Alice | +-----------+------------------------------+-----------+ | ... | ... | ... | +-----------+------------------------------+-----------+
Figure 1: Simplified Example of an Access Control List, Including Entries for Two Different Kind-IDs and Varying Delegation (AD) Configurations
图1:访问控制列表的简化示例,包括两个不同种类ID的条目和不同的委托(AD)配置
Implementors of ShaRe should be aware that the trust delegation in an Access Control List need not be loop free. Self-contained circular trust delegation from A to B and B to A are syntactically possible, even though not very meaningful.
ShaRe的实现者应该知道,访问控制列表中的信任委托不必是无循环的。从A到B和从B到A的自包含循环信任委托在语法上是可能的,尽管不是很有意义。
The Kind data structure for the Access Control List is defined as follows:
访问控制列表的种类数据结构定义如下:
struct { /* res_name_ext is optional, see documentation */ ResourceNameExtension res_name_ext; opaque to_user<0..2^16-1>; KindId kind; Boolean allow_delegation; } AccessControlListItem;
struct { /* res_name_ext is optional, see documentation */ ResourceNameExtension res_name_ext; opaque to_user<0..2^16-1>; KindId kind; Boolean allow_delegation; } AccessControlListItem;
The AccessControlListItem structure is composed of:
AccessControlListItem结构由以下部分组成:
res_name_ext: This optional field contains the Resource Name of a ResourceNameExtension (see Section 5.2) to be used by a Shared Resource with a variable resource name. This name is used by the storing peer for validating, whether a variable resources name matches one of the predefined naming pattern from the configuration document for this Kind. The presence of this field is bound to a variable resource name element in the corresponding kind-block of the configuration document whose "enable" attribute is set to true (see Section 5.3). Otherwise, if the "enable" attribute is false, the res_name_ext field SHALL NOT be present in the Kind data structure.
res_name_ext:此可选字段包含ResourceNameExtension的资源名称(请参见第5.2节),该扩展将由具有可变资源名称的共享资源使用。存储对等方使用此名称验证变量资源名称是否与此类配置文档中的预定义命名模式之一匹配。此字段的存在绑定到配置文档相应种类块中的可变资源名称元素,其“enable”属性设置为true(参见第5.3节)。否则,如果“enable”属性为false,则种类数据结构中不应出现res_name_ext字段。
to_user: This field contains the username of the RELOAD peer that obtains write permission to the Shared Resource.
to_user:此字段包含获得对共享资源的写入权限的重新加载对等方的用户名。
kind: This field contains the Kind-ID of the Shared Resource.
种类:此字段包含共享资源的种类ID。
allow_delegation: If true, this Boolean flag indicates that the Authorized Peer in the 'to_user' field is allowed to add additional entries to the ACL for the specified Kind-ID.
allow_delegation:如果为true,则此布尔标志表示允许“to_user”字段中的授权对等方为指定的种类ID向ACL添加其他条目。
In certain use cases, such as conferencing, it is desirable to increase the flexibility of a peer in using Resource Names beyond those defined by the username or Node-ID fields in its certificate. For this purpose, this document presents the concept for variable Resources Names that enables providers of RELOAD instances to define relaxed naming schemes for overlay Resources.
在某些用例中,例如会议,需要增加对等方在使用资源名称时的灵活性,使其超出由其证书中的用户名或节点ID字段定义的资源名称。为此,本文档介绍了可变资源名称的概念,使重载实例的提供者能够为覆盖资源定义宽松的命名方案。
Each RELOAD node uses a certificate to identify itself using its username (or Node-ID) while storing data under a specific Resource-ID (see Section 7.3 in [RFC6940]). The specifications in this document scheme adhere to this paradigm, but enable a RELOAD peer to store values of Resource Names that are derived from the username in its certificate. This is done by using a Resource Name with a variable substring that still matches the username in the certificate using a pattern defined in the overlay configuration document. Thus, despite being variable, an allowable Resource Name remains tied to the Owner's certificate. A sample pattern might be formed as follows:
每个重新加载节点使用一个证书来使用其用户名(或节点ID)标识自己,同时将数据存储在特定的资源ID下(请参阅[RFC6940]中的第7.3节)。此文档方案中的规范遵循此范例,但允许重载对等方在其证书中存储从用户名派生的资源名称值。这是通过使用资源名称和变量子字符串来完成的,该变量子字符串仍然与证书中的用户名匹配,使用覆盖配置文档中定义的模式。因此,尽管是可变的,但允许的资源名称仍然与所有者的证书绑定。样本模式可形成如下所示:
Example Pattern: .*-conf-$USER@$DOMAIN
示例模式:.*-conf-$USER@$DOMAIN
When defining the pattern, care must be taken to avoid conflicts arising from two usernames of which one is a substring of the other. In such cases, the holder of the shorter name could threaten to block the resources of the longer-named peer by choosing the variable part of a Resource Name to contain the entire longer username. For example, a "*$USER" pattern would allow user EVE to define a resource with name "STEVE" and to block the resource name for user STEVE through this. This problem can easily be mitigated by delimiting the variable part of the pattern from the username part by some fixed string, that by convention is not part of a username (e.g., the "-conf-" in the above Example).
定义模式时,必须注意避免两个用户名(其中一个是另一个的子字符串)产生冲突。在这种情况下,较短名称的持有者可能会通过选择资源名称的可变部分来包含整个较长用户名,从而威胁阻止较长名称对等方的资源。例如,“*$USER”模式允许用户EVE定义一个名为“STEVE”的资源,并通过该模式阻止用户STEVE的资源名。通过将模式的可变部分与用户名部分用固定字符串分隔开来,可以很容易地缓解这个问题,按照惯例,固定字符串不是用户名的一部分(例如,上面示例中的“-conf-”)。
This section defines the optional ResourceNameExtension structure for every Kind that uses the USER-CHAIN-ACL access control policy.
本节为使用USER-CHAIN-ACL访问控制策略的每种类型定义可选的ResourceNameExtension结构。
enum { pattern(1), (255)} ResourceNameType;
enum { pattern(1), (255)} ResourceNameType;
struct { ResourceNameType type; uint16 length;
struct { ResourceNameType type; uint16 length;
select(type) { case pattern: opaque resource_name<0..2^16-1>;
select(type) { case pattern: opaque resource_name<0..2^16-1>;
/* Types can be extended */ }; } ResourceNameExtension;
/* Types can be extended */ }; } ResourceNameExtension;
The content of the ResourceNameExtension consists of:
ResourceNameExtension的内容包括:
length: This field contains the length of the remaining data structure. It is only used to allow for further extensions to this data structure.
长度:此字段包含剩余数据结构的长度。它仅用于允许对此数据结构进行进一步扩展。
The content of the rest of the data structure depends of the ResourceNameType. Currently, the only defined type is "pattern".
数据结构其余部分的内容取决于ResourceNameType的类型。目前,唯一定义的类型是“模式”。
If the type is "pattern", then the following data structure contains an opaque <0..2^16-1> field containing the Resource Name of the Kind being stored. The type "pattern" further indicates that the Resource Name MUST match to one of the variable resource name patterns defined for this Kind in the configuration document.
如果类型为“pattern”,则以下数据结构包含一个不透明的<0..2^16-1>字段,其中包含所存储类型的资源名称。类型“pattern”进一步指示资源名称必须与配置文档中为此类型定义的可变资源名称模式之一匹配。
The ResourceNameType enum and the ResourceNameExtension structure can be extended by further Usages to define other naming schemes.
ResourceNameType枚举和ResourceNameExtension结构可以通过进一步使用来扩展,以定义其他命名方案。
This section extends the overlay configuration document by defining new elements for patterns relating resource names to usernames. It is noteworthy that additional constraints on the syntax and semantic of names can apply according to specific Usages. For example, Address of Record (AOR) syntax restrictions apply when using P2PSIP [RFC7904], while a more general naming is feasible in plain RELOAD.
本节通过为将资源名与用户名关联的模式定义新元素来扩展覆盖配置文档。值得注意的是,可以根据具体用法对名称的语法和语义施加额外的限制。例如,当使用P2PSIP[RFC7904]时,记录地址(AOR)语法限制适用,而在普通重载中,更通用的命名是可行的。
The <variable-resource-names> element serves as a container for one or multiple <pattern> sub-elements. It is an additional parameter within the kind-block and has a boolean "enable" attribute that indicates, if true, that the overlay provider allows variable resource names for this Kind. The default value of the "enable" attribute is "false". In the absence of a <variable-resource-names> element for a Kind using the USER-CHAIN-ACL access policy (see Section 6.6), implementors MUST assume this default value.
<variable resource names>元素用作一个或多个子元素的容器。它是种类块中的一个附加参数,具有一个布尔“enable”属性,如果为true,则表示覆盖提供程序允许这种类型的变量资源名。“enable”属性的默认值为“false”。如果使用USER-CHAIN-ACL访问策略的种类没有<variable resource names>元素(参见第6.6节),则实现者必须采用此默认值。
A <pattern> element MUST be present if the "enabled" attribute of its parent element is set to true. Each <pattern> element defines a pattern for constructing extended resource names for a single Kind. It is of type xsd:string and interpreted as a regular expression according to "POSIX Extended Regular Expression" (see the specifications in [IEEE-Posix]). In this regular expression, $USER and $DOMAIN are used as variables for the corresponding parts of the string in the certificate username field (with $USER preceding and $DOMAIN succeeding the '@'). Both variables MUST be present in any given pattern definition. Furthermore, variable parts in <pattern> elements defined in the overlay configuration document MUST remain syntactically separated from the username part (e.g., by a dedicated delimiter) to prevent collisions with other names of other users. If no pattern is defined for a Kind, if the "enable" attribute is false, or if the regular expression does not meet the requirements specified in this section, the allowable Resource Names are restricted to the username of the signer for Shared Resource.
如果父元素的“enabled”属性设置为true,则必须存在<pattern>元素。每个<pattern>元素定义一个模式,用于为单个种类构造扩展资源名称。它是xsd:string类型,根据“POSIX扩展正则表达式”(参见[IEEE POSIX]中的规范)解释为正则表达式。在此正则表达式中,$USER和$DOMAIN用作证书用户名字段中字符串相应部分的变量(前面是$USER,后面是$DOMAIN)。这两个变量必须出现在任何给定的模式定义中。此外,覆盖配置文档中定义的<pattern>元素中的变量部分必须在语法上与用户名部分分开(例如,通过专用分隔符),以防止与其他用户的其他名称发生冲突。如果没有为种类定义模式,如果“enable”属性为false,或者如果正则表达式不满足本节中指定的要求,则允许的资源名称仅限于共享资源的签名者的用户名。
The RELAX NG Grammar for the Variable Resource Names Extension reads:
变量资源名称扩展的RELAX NG语法如下:
# VARIABLE RESOURCE URN SUB-NAMESPACE
#变量资源URN子命名空间
namespace share = "urn:ietf:params:xml:ns:p2p:config-base:share"
namespace share = "urn:ietf:params:xml:ns:p2p:config-base:share"
# VARIABLE RESOURCE NAMES ELEMENT
#可变资源名称元素
kind-parameter &= element share:variable-resource-names {
kind-parameter &= element share:variable-resource-names {
attribute enable { xsd:boolean },
属性启用{xsd:boolean},
# PATTERN ELEMENT
#模式元素
element share:pattern { xsd:string }* }?
element share:pattern { xsd:string }* }?
Whitespace and case processing follows the rules of [OASIS.relax_ng] and XML Schema Datatypes [W3C.REC-xmlschema-2-20041028].
空格和大小写处理遵循[OASIS.RELAXNG]和XML模式数据类型[W3C.REC-xmlschema-2-20041028]的规则。
Write access to a Kind that is intended to be shared with other RELOAD users can be initiated solely by the Resource Owner. A Resource Owner can share RELOAD Kinds by using the following procedure:
资源所有者可以单独启动对要与其他重新加载用户共享的类型的写入访问。资源所有者可以使用以下过程共享重新加载类型:
o The Resource Owner stores an ACL root item at the Resource-ID of the Shared Resource. The root item contains the ResourceNameExtension field (see Section 5.2), the username of the Resource Owner and Kind-ID of the Shared Resource. The allow_delegation flag is set to 1. The index of array data structure MUST be generated as described in Section 3.1.
o 资源所有者在共享资源的资源ID处存储ACL根项。根项包含ResourceNameExtension字段(参见第5.2节)、资源所有者的用户名和共享资源的种类ID。allow_委派标志设置为1。数组数据结构的索引必须按照第3.1节所述生成。
o Further ACL items for this Kind-ID stored by the Resource Owner MAY delegate write access to Authorized Peers. These ACL items contain the same resource name extension field, the username of the Authorized Peer, and the Kind-ID of the Shared Resource. Optionally, the Resource Owner sets the "ad" to 1 (the default equals 0) to enable the Authorized Peer to further delegate write access. For each succeeding ACL item, the Resource Owner increments its individual index value by one (see Section 3.1) so that items can be stored in the numerical order of the array index starting with the index of the root item.
o 资源所有者存储的此类ID的其他ACL项可以将写访问权委托给授权的对等方。这些ACL项包含相同的资源名称扩展字段、授权对等方的用户名和共享资源的种类ID。或者,资源所有者将“ad”设置为1(默认值为0),以使授权对等方能够进一步委托写访问。对于每个后续ACL项,资源所有者将其单个索引值增加1(请参见第3.1节),以便可以从根项的索引开始,以数组索引的数字顺序存储项。
An Authorized Peer with delegation allowance ("ad"=1) can extend the access to an existing Shared Resource as follows:
具有授权许可(“ad”=1)的授权对等方可以按如下方式扩展对现有共享资源的访问:
o An Authorized Peer can store additional ACL items at the Resource-ID of the Shared Resource. These ACL items contain the resource name extension field, the username of the newly Authorized Peer, and the Kind-ID of the Shared Resource. Optionally, the "ad" flag is set to 1 for allowing the newly Authorized Peer to further delegate write access. The array index MUST be generated as described in Section 3.1. Each succeeding ACL item can be stored in the numerical order of the array index.
o 授权对等方可以在共享资源的资源ID处存储其他ACL项。这些ACL项包含资源名称扩展字段、新授权对等方的用户名和共享资源的种类ID。可选地,“ad”标志设置为1,以允许新授权的对等方进一步委托写访问。必须按照第3.1节所述生成数组索引。每个后续ACL项都可以按数组索引的数字顺序存储。
A store request by an Authorized Peer that attempts to overwrite any ACL item signed by another Peer is unauthorized and causes an Error_Forbidden response from the Storing Peer. Such access conflicts could be caused by an array index collision. However, the probability of a collision of two or more identical array indices will be negligibly low using the mechanism for isolating stored data (see Section 3.1).
授权对等方试图覆盖另一对等方签署的任何ACL项目的存储请求是未经授权的,并导致存储对等方的错误\u禁止响应。这种访问冲突可能是由数组索引冲突引起的。但是,使用隔离存储数据的机制,两个或多个相同数组索引发生冲突的概率会低得可以忽略不计(参见第3.1节)。
Write permissions are revoked by storing a nonexistent value (see [RFC6940], Section 7.2.1) at the corresponding item of the Access Control List. Revoking a permission automatically invalidates all delegations performed by that user including all subsequent delegations. This allows the invalidation of entire subtrees of the delegations tree with only a single operation. Overwriting the root item with a nonexistent value of an Access List invalidates the entire delegations tree.
通过在访问控制列表的相应项中存储不存在的值(参见[RFC6940],第7.2.1节)来撤销写入权限。撤消权限会自动使该用户执行的所有委派(包括所有后续委派)无效。这允许仅通过一次操作使委托树的整个子树无效。使用不存在的访问列表值覆盖根项将使整个委派树无效。
An existing ACL item MUST only be overwritten by the user who initially stored the corresponding entry, or by the Resource Owner that is allowed to overwrite all ACL items for revoking write access.
现有ACL项只能由最初存储相应项的用户覆盖,或由允许覆盖所有ACL项以撤消写访问的资源所有者覆盖。
To protect the privacy of the users, the Resource Owner SHOULD overwrite all subtrees that have been invalidated.
为了保护用户的隐私,资源所有者应该覆盖所有已失效的子树。
Access Control Lists are used to transparently validate authorization of peers for writing a data value at a Shared Resource. Thereby, it is assumed that the validating peer is in possession of the complete and most recent ACL for a specific Resource/Kind pair. The corresponding procedure consists of recursively traversing the trust delegation tree with strings compared as binary objects. It proceeds as follows:
访问控制列表用于透明地验证对等方在共享资源中写入数据值的授权。因此,假设验证对等方拥有特定资源/种类对的完整和最新ACL。相应的过程包括使用比较为二进制对象的字符串递归遍历信任委托树。其进展如下:
1. Obtain the username of the certificate used for signing the data stored at the Shared Resource. This is the user who requested the write operation.
1. 获取用于对存储在共享资源中的数据进行签名的证书的用户名。这是请求写入操作的用户。
2. Validate that an item of the corresponding ACL (i.e., for this Resource/Kind pair) contains a "to_user" field whose value equals the username obtained in step 1. If the Shared Resource under examination is an Access Control List Kind, further validate if the "ad" flag is set to 1.
2. 验证相应ACL的项目(即,对于此资源/种类对)是否包含“to_user”字段,其值等于步骤1中获得的用户名。如果正在检查的共享资源是访问控制列表类型,则进一步验证“ad”标志是否设置为1。
3. Select the username of the certificate that was used to sign the ACL item obtained in the previous step.
3. 选择用于对上一步中获得的ACL项目进行签名的证书的用户名。
4. Validate that an item of the corresponding ACL contains a "to_user" field whose value equals the username obtained in step 3. Additionally, validate that the "ad" flag is set to 1.
4. 验证相应ACL的项是否包含“to_user”字段,该字段的值等于在步骤3中获得的用户名。此外,验证“ad”标志是否设置为1。
5. Repeat steps 3 and 4 until the "to_user" value is equal to the username of the signer of the ACL in the selected item. This final ACL item is expected to be the root item of this ACL, which MUST be further validated by verifying that the root item was signed by the owner of the ACL Resource.
5. 重复步骤3和4,直到“to_user”值等于所选项目中ACL签名者的用户名。最后一个ACL项应该是此ACL的根项,必须通过验证根项是否由ACL资源的所有者签名来进一步验证。
The trust delegation chain is valid if and only if all verification steps succeed. In this case, the creator of the data value of the Shared Resource is an Authorized Peer.
当且仅当所有验证步骤成功时,信任委托链才有效。在这种情况下,共享资源数据值的创建者是经过授权的对等方。
Note that the ACL validation procedure can be omitted whenever the creator of data at a Shared Resource is the Resource Owner itself. The latter can be verified by its public key certificate as defined in Section 6.6.
请注意,只要共享资源中的数据创建者是资源所有者,就可以省略ACL验证过程。后者可通过第6.6节中定义的公钥证书进行验证。
Storing peers, at which Shared Resource and ACL are physically stored, are responsible for controlling storage attempts to a Shared Resource and its corresponding Access Control List. To assert the USER-CHAIN-ACL access policy (see Section 6.6), a storing peer MUST perform the access validation procedure described in Section 6.3 on any incoming store request using the most recent Access Control List for every Kind that uses the USER-CHAIN-ACL policy. It SHALL further ensure that only the Resource Owner stores new ACL root items for Shared Resources.
物理存储共享资源和ACL的存储对等方负责控制对共享资源及其相应访问控制列表的存储尝试。要断言USER-CHAIN-ACL访问策略(请参见第6.6节),存储对等方必须使用使用USER-CHAIN-ACL策略的每种类型的最新访问控制列表,对任何传入的存储请求执行第6.3节中描述的访问验证过程。它还应进一步确保只有资源所有者存储共享资源的新ACL根项目。
Accessing peers, i.e., peers that fetch a Shared Resource, can validate that the originator of a Shared Resource was authorized to store data at this Resource-ID by processing the corresponding ACL. To enable an accessing peer to perform the access validation procedure described in Section 6.3, it first needs to obtain the most recent Access Control List in the following way:
访问对等方(即获取共享资源的对等方)可以通过处理相应的ACL来验证共享资源的发起方是否有权在该资源ID处存储数据。为了使访问对等方能够执行第6.3节所述的访问验证程序,首先需要通过以下方式获得最新的访问控制列表:
1. Send a Stat request to the Resource-ID of the Shared Resource to obtain all array indexes of stored ACL Kinds (as per [RFC6940], Section 7.4.3.).
1. 向共享资源的资源ID发送Stat请求,以获取存储的ACL类型的所有数组索引(根据[RFC6940],第7.4.3节)。
2. Fetch all indexes of existing ACL items at this Resource-ID by using the array ranges retrieved in the Stat request answer.
2. 使用Stat请求应答中检索到的数组范围获取此资源ID处现有ACL项的所有索引。
Peers can cache previously fetched Access Control Lists up to the maximum lifetime of an individual item. Since stored values could have been modified or invalidated prior to their expiration, an accessing peer SHOULD use a Stat request to check for updates prior to using the data cache.
对等方可以缓存以前获取的访问控制列表,直至单个项的最大生存期。由于存储值在过期之前可能已被修改或失效,因此访问对等方应在使用数据缓存之前使用Stat请求检查更新。
This document specifies an additional access control policy to the RELOAD base document [RFC6940]. The USER-CHAIN-ACL policy allows Authorized Peers to write a Shared Resource, even though they do not own the corresponding certificate. Additionally, the USER-CHAIN-ACL allows the storage of Kinds with a variable resource name that are following one of the specified naming patterns. Hence, on an inbound store request on a Kind that uses the USER-CHAIN-ACL access policy, the following rules MUST be applied:
本文档指定了重新加载基础文档[RFC6940]的附加访问控制策略。USER-CHAIN-ACL策略允许授权的对等方写入共享资源,即使它们不拥有相应的证书。此外,USER-CHAIN-ACL允许使用可变资源名称存储遵循指定命名模式之一的种类。因此,对于使用USER-CHAIN-ACL访问策略的种类的入站存储请求,必须应用以下规则:
In the USER-CHAIN-ACL policy, a given value MUST NOT be written or overwritten, if neither one of USER-MATCH or USER-NODE-MATCH (mandatory if the data model is dictionary) access policies of the base document [RFC6940] applies.
在USER-CHAIN-ACL策略中,如果基础文档[RFC6940]的USER-MATCH或USER-NODE-MATCH(如果数据模型为字典,则为必填项)访问策略均不适用,则不得写入或覆盖给定值。
Additionally, the store request MUST be denied if the signer's certificate does not contain a username that matches to the user and domain portion in one of the variable resource name patterns (cf. Section 5) specified in the configuration document or if the hashed Resource Name does not match the Resource-ID. The Resource Name of the Kind to be stored MUST be taken from the mandatory ResourceNameExtension field in the corresponding Kind data structure.
此外,如果签名者的证书不包含与可变资源名称模式之一中的用户和域部分匹配的用户名,则必须拒绝存储请求(参见第5节)在配置文档中指定,或者哈希资源名称与Resource-ID不匹配。要存储的种类的资源名称必须取自相应种类数据结构中的必填ResourceNameExtension字段。
If the access rights cannot be verified according to the ACL validation procedure described in Section 6.3, the store request MUST also be denied.
如果无法根据第6.3节中描述的ACL验证程序验证访问权限,则还必须拒绝存储请求。
Otherwise, the store request can be processed further.
否则,可以进一步处理存储请求。
This section defines the ACCESS-CONTROL-LIST Kind previously described in this document.
本节定义了本文档前面描述的访问控制列表类型。
Name: ACCESS-CONTROL-LIST
名称:访问控制列表
Kind IDs: The Resource Name for ACCESS-CONTROL-LIST Kind-ID is the Resource Name of the Kind that will be shared by using the ACCESS-CONTROL-LIST Kind.
种类ID:ACCESS-CONTROL-LIST种类ID的资源名称是使用ACCESS-CONTROL-LIST种类共享的种类的资源名称。
Data Model: The data model for the ACCESS-CONTROL-LIST Kind-ID is array. The array indexes are formed by using the mechanism for isolated stored data as described in Section 3.1.
数据模型:访问控制列表种类ID的数据模型为数组。数组索引是使用第3.1节所述的隔离存储数据机制形成的。
Access Control: USER-CHAIN-ACL (see Section 6.6).
访问控制:用户链ACL(见第6.6节)。
In this section, we discuss security issues that are relevant to the usage of Shared Resources in RELOAD [RFC6940].
在本节中,我们将讨论与RELOAD[RFC6940]中共享资源的使用相关的安全问题。
Joining a RELOAD overlay inherently poses a certain resource load on a peer, because it has to store and forward data for other peers. In common RELOAD semantics, each Resource-ID and thus position in the overlay, may only be written by a limited set of peers -- often even only a single peer, which limits this burden. In the case of Shared Resources, a single resource may be written by multiple peers who may even write an arbitrary number of entries (e.g., delegations in the ACL). This leads to an enhanced use of resources at individual overlay nodes. The problem of resource exhaustion can easily be mitigated for Usages based on the ShaRe-Usage by imposing restrictions on size, i.e., <max-size> element for a certain Kind in the configuration document.
加入重新加载覆盖必然会给对等方带来一定的资源负载,因为它必须为其他对等方存储和转发数据。在常见的重载语义中,每个资源ID以及在覆盖中的位置只能由有限的一组对等方写入——通常甚至只有一个对等方,这限制了这种负担。在共享资源的情况下,单个资源可能由多个对等方写入,这些对等方甚至可能写入任意数量的条目(例如,ACL中的委托)。这将提高各个覆盖节点的资源利用率。对于基于共享使用的使用,可以通过对大小施加限制(即配置文档中某一类的<max size>元素),轻松缓解资源消耗问题。
The RELOAD overlay is designed to operate despite the presence of a small set of misbehaving peers. This is not different for Shared Resources since a small set of malicious peers does not disrupt the functionality of the overlay in general, but may have implications for the peers needing to store or access information at the specific locations in the ID space controlled by a malicious peer. A storing peer could withhold stored data, which results in a denial of service to the group using the specific resource. But it could not return forged data, since the validity of any stored data can be independently verified using the attached signatures.
重新加载覆盖被设计为在存在一小部分行为不端的对等点的情况下运行。这与共享资源没有什么不同,因为一小部分恶意对等方通常不会破坏覆盖的功能,但可能会对需要在恶意对等方控制的ID空间中的特定位置存储或访问信息的对等方造成影响。存储对等方可能会扣留存储的数据,从而导致拒绝使用特定资源的组的服务。但它不能返回伪造的数据,因为任何存储数据的有效性都可以使用附加的签名进行独立验证。
A Resource Owner that erroneously delegated write access to a Shared Resource for a misbehaving peer enables this malicious member of the overlay to interfere with the corresponding group application in several unwanted ways. Examples of destructive interferences range from exhausting shared storage to dedicated application-specific misuse. Additionally, a bogus peer that was granted delegation rights may authorize further malicious collaborators to writing the Shared Resource.
资源所有者错误地将对共享资源的写入访问权委托给行为不正常的对等方,使覆盖层的恶意成员能够以几种不必要的方式干扰相应的组应用程序。破坏性干扰的例子从耗尽共享存储到专用的特定应用程序误用。此外,被授予委派权限的伪对等方可能会授权其他恶意合作者写入共享资源。
It is the obligation of the Resource Owner to bind trust delegation to apparent trustworthiness. Additional measures to monitor proper behavior may be applied. In any case, the Resource Owner will be able to revoke the trust delegation of an entire tree in a single overwrite operation. It further holds the right to overwrite any malicious contributions to the shared resource under misuse.
资源所有者有义务将信任委托绑定到明显的可信度。可以采取其他措施来监测适当的行为。在任何情况下,资源所有者都可以在一次覆盖操作中撤销整个树的信任委派。它还拥有在滥用情况下覆盖对共享资源的任何恶意贡献的权利。
All data stored in the Shared Resource is readable by any node in the overlay; thus, applications requiring privacy need to encrypt the data. The ACL needs to be stored unencrypted; thus, the list members of a group using a Shared Resource will always be publicly visible.
存储在共享资源中的所有数据可由覆盖中的任何节点读取;因此,需要隐私的应用程序需要加密数据。ACL需要未加密地存储;因此,使用共享资源的组的列表成员将始终公开可见。
IANA has registered the following entry in the "RELOAD Access Control Policies" registry (cf. [RFC6940]) to represent the USER-CHAIN-ACL Access Control Policy, as described in Section 6.6.
IANA已在“重新加载访问控制策略”注册表(参见[RFC6940])中注册了以下条目,以表示用户链-ACL访问控制策略,如第6.6节所述。
+-------------------+----------+ | Access Policy | RFC | +-------------------+----------+ | USER-CHAIN-ACL | RFC 8076 | +-------------------+----------+
+-------------------+----------+ | Access Policy | RFC | +-------------------+----------+ | USER-CHAIN-ACL | RFC 8076 | +-------------------+----------+
IANA has registered the following code point in the "RELOAD Data Kind-ID" registry (cf. [RFC6940]) to represent the ShaRe ACCESS-CONTROL-LIST kind, as described in Section 7.
IANA已在“重新加载数据种类ID”注册表(参见[RFC6940])中注册了以下代码点,以表示共享访问控制列表种类,如第7节所述。
+----------------------+------------+----------+ | Kind | Kind-ID | RFC | +----------------------+------------+----------+ | ACCESS-CONTROL-LIST | 0x4 | RFC 8076 | +----------------------+------------+----------+
+----------------------+------------+----------+ | Kind | Kind-ID | RFC | +----------------------+------------+----------+ | ACCESS-CONTROL-LIST | 0x4 | RFC 8076 | +----------------------+------------+----------+
This document registers the following URI for the config XML namespace in the IETF XML registry defined in [RFC3688].
本文档在[RFC3688]中定义的IETF XML注册表中为配置XML命名空间注册以下URI。
URI: urn:ietf:params:xml:ns:p2p:config-base:share
URI: urn:ietf:params:xml:ns:p2p:config-base:share
Registrant Contact: The IESG
注册联系人:IESG
XML: N/A, the requested URI is an XML namespace
XML:N/A,请求的URI是一个XML名称空间
[IEEE-Posix] "IEEE Standard for Information Technology - Portable Operating System Interface (POSIX) - Part 2: Shell and Utilities (Vol. 1)", IEEE Std 1003.2-1992, ISBN 1-55937-255-9, DOI 10.1109/IEEESTD.1993.6880751, January 1993, <http://ieeexplore.ieee.org/document/6880751/>.
[IEEE Posix]“IEEE信息技术标准-便携式操作系统接口(Posix)-第2部分:外壳和实用程序(第1卷)”,IEEE标准1003.2-1992,ISBN 1-55937-255-9,DOI 10.1109/IEEESTD.1993.68807511993年1月<http://ieeexplore.ieee.org/document/6880751/>.
[OASIS.relax_ng] Clark, J. and M. Murata, "RELAX NG Specification", December 2001.
[OASIS.RELAXNG]Clark,J.和M.Murata,“RELAXNG规范”,2001年12月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, <http://www.rfc-editor.org/info/rfc3688>.
[RFC3688]Mealling,M.,“IETF XML注册表”,BCP 81,RFC 3688,DOI 10.17487/RFC3688,2004年1月<http://www.rfc-editor.org/info/rfc3688>.
[RFC6940] Jennings, C., Lowekamp, B., Ed., Rescorla, E., Baset, S., and H. Schulzrinne, "REsource LOcation And Discovery (RELOAD) Base Protocol", RFC 6940, DOI 10.17487/RFC6940, January 2014, <http://www.rfc-editor.org/info/rfc6940>.
[RFC6940]Jennings,C.,Lowekamp,B.,Ed.,Rescorla,E.,Baset,S.,和H.Schulzrinne,“资源定位和发现(重新加载)基础协议”,RFC 6940,DOI 10.17487/RFC6940,2014年1月<http://www.rfc-editor.org/info/rfc6940>.
[W3C.REC-xmlschema-2-20041028] Malhotra, A. and P. Biron, "XML Schema Part 2: Datatypes Second Edition", World Wide Web Consortium Recommendation REC-xmlschema-2-20041028, October 2004, <http://www.w3.org/TR/2004/REC-xmlschema-2-20041028>.
[W3C.REC-xmlschema-2-20041028]Malhotra,A.和P.Biron,“XML模式第2部分:数据类型第二版”,万维网联盟建议REC-xmlschema-2-20041028,2004年10月<http://www.w3.org/TR/2004/REC-xmlschema-2-20041028>.
[RFC7890] Bryan, D., Matthews, P., Shim, E., Willis, D., and S. Dawkins, "Concepts and Terminology for Peer-to-Peer SIP (P2PSIP)", RFC 7890, DOI 10.17487/RFC7890, June 2016, <http://www.rfc-editor.org/info/rfc7890>.
[RFC7890]Bryan,D.,Matthews,P.,Shim,E.,Willis,D.,和S.Dawkins,“对等SIP(P2PSIP)的概念和术语”,RFC 7890,DOI 10.17487/RFC78902016年6月<http://www.rfc-editor.org/info/rfc7890>.
[RFC7904] Jennings, C., Lowekamp, B., Rescorla, E., Baset, S., Schulzrinne, H., and T. Schmidt, Ed., "A SIP Usage for REsource LOcation And Discovery (RELOAD)", RFC 7904, DOI 10.17487/RFC7904, October 2016, <http://www.rfc-editor.org/info/rfc7904>.
[RFC7904]Jennings,C.,Lowekamp,B.,Rescorla,E.,Baset,S.,Schulzrinne,H.,和T.Schmidt,Ed.,“资源定位和发现(重新加载)的SIP使用”,RFC 7904,DOI 10.17487/RFC7904,2016年10月<http://www.rfc-editor.org/info/rfc7904>.
Acknowledgments
致谢
This work was stimulated by fruitful discussions in the P2PSIP working group and the SAM research group. We would like to thank all active members for their constructive thoughts and feedback. In particular, the authors would like to thank (in alphabetical order) Emmanuel Baccelli, Ben Campbell, Alissa Cooper, Lothar Grimm, Russ Housley, Cullen Jennings, Matt Miller, Peter Musgrave, Joerg Ott, Marc Petit-Huguenin, Peter Pogrzeba, and Jan Seedorf. This work was partly funded by the German Federal Ministry of Education and Research, projects HAMcast, Mindstone, and SAFEST.
P2PSIP工作组和SAM研究组的富有成果的讨论推动了这项工作。我们要感谢所有积极成员的建设性想法和反馈。特别是,作者要感谢(按字母顺序排列)伊曼纽尔·巴切利、本·坎贝尔、艾莉莎·库珀、洛萨·格里姆、罗斯·霍斯利、卡伦·詹宁斯、马特·米勒、彼得·穆斯格雷夫、约伯格·奥特、马克·佩蒂·胡格宁、彼得·波格泽巴和扬·西多夫。这项工作部分由德国联邦教育和研究部、汉卡斯特项目、明斯通项目和最安全项目资助。
Authors' Addresses
作者地址
Alexander Knauf HAW Hamburg Berliner Tor 7 Hamburg D-20099 Germany
亚历山大·可耐福汉堡柏林塔7汉堡D-20099德国
Phone: +4940428758067 Email: alexanderknauf@gmail.com
Phone: +4940428758067 Email: alexanderknauf@gmail.com
Thomas C. Schmidt HAW Hamburg Berliner Tor 7 Hamburg D-20099 Germany
托马斯·C·施密特汉堡柏林塔7汉堡D-20099德国
Email: t.schmidt@haw-hamburg.de URI: http://inet.haw-hamburg.de/members/schmidt
Email: t.schmidt@haw-hamburg.de URI: http://inet.haw-hamburg.de/members/schmidt
Gabriel Hege daviko GmbH Schillerstr. 107 Berlin D-10625 Germany
Gabriel Hege daviko GmbH Schillerstr。107柏林D-10625德国
Phone: +493043004344 Email: hege@daviko.com
Phone: +493043004344 Email: hege@daviko.com
Matthias Waehlisch link-lab & FU Berlin Hoenower Str. 35 Berlin D-10318 Germany
Matthias Waehlisch link lab&FU Berlin Hoenower Str.35 Berlin D-10318德国
Email: mw@link-lab.net URI: http://www.inf.fu-berlin.de/~waehl
Email: mw@link-lab.net URI: http://www.inf.fu-berlin.de/~waehl