Resources
The following is written in the style of REST, so a Resource is acquired by sending a URL.
Every Resource
Every Resource has
Member
A Member has
- Assurance Information (in a single object)
- a (single) DoB
- a list of Names.
- a list of Profiles.
- Experience Points
- A list of Assurances
- a list of Assurances done on it (passive)
- --> can calculate Assurance Points
- a list of Assurances done by it (active)
- --> can calculate Experience Points
- revocations are new entries that revert the effect of earlier entries
- These lists may be the same list. IMPLEMENTATION DETAIL.
- a single email address
- for contact purposes
- as prescribed by CCA
- a set of Roles
- generally set by Support (which is itself enabled by a role)
- credentials
- log
- all useful events in there
- lots of event types
- list of notifications to be processed by Member
- needs display and acknowledgement, some action taken
- a list of Tokens issued to the Member
Credential
- type (password w. question, certificate, pgp-key)
- content
- status (active/blocked/expired/...)
Profile
A Profile is
- a list of email addresses
- maybe also include specifications such as *@example.com
- a list of domains
- maybe also include specifications such as *.example.com
- a list of credentials (certificates and gpg keys)
- (CSRs are kept in an interim ?? NO.)
- all stored gpg keys are signed by CAcert.
- a list of delegations
- to a Member account, which gives this account the ability to perform the action
- each delegation is over an action, for example
- create a client certificate with this email address.
- the list of delegations is, for example
- creation of certificates for dev.example.com
- creation of email certificates for me@example.com
- creation of client certificates for me@example.com
- right to delegate (full ownership of profile)
- each delegation may be limited over certain classes such as client certs, subdomains
- includes the full set of own profiles
- a list of Names for the profile, for:
- O field
- OU field
- Location information: C, State, ...
- (CN field is taken from Member information or may be freely choosable for Orgs)
- (Names are issued into certs by Orgs, they have the permission to do that, and they extend it to us as Member and CAcert stores the certificate as permission)
- each Name requires an OrgAssurer? No, because wife can be delegated.
Token
A Token is
- a string
- has an Issuer
- so it is tied to the Member doing this.
- has a User
- so the support guy that enters it in is tracked
- the token may be tied to
- a role
- an individual
- not tied, which means tied to the Member role
- a list of actions / events
- that were performed using the token
- is usable many times
- is used by
- authorisation permissions generated (e.g., from Arbitrator to Support)
- authentication permissions (e.g., from an Application to the System)
Application
- meta data
- who is the responsible Member(s)
- a name / human readable tag
- an address for the user to get to it, not relevant to the system
- a form of Authentication
- credentials that are presented with every request
- may be bootstrapped from Member authentication
- access rights
- read, write, act, etc.
- e.g., has the right to look up whether someone is an Assurer, no more
- log
- of all actions it has performed
Event
An Event is
- timestamp
- Token
- Actor
- the subject of the action
- type of action
- could just be URL or resource
- meta data
- descriptive text
- there may be other structured forms such as XML blob depending on the action formed
- level
- sensitivity like privacy or security
Notification
A Notification is
- Source
- Target
- Sent Event
- Viewed/Acknowledged Event
- Type
- content
- descriptive text
- structured stuff, e.g., HTML linking to the CCA for agreement
(This is a high-level message to a person, not a low-level message in the system.)
Email Address
An email address is
- a profile that it is attached to
- list of certificates that it is issued in
- list of verification events
- ping events
- Assurer statements
- a string in RFC8222 something format
Domain
A Domain is
- a profile that it is attached to
- list of certificates that it is issued in
- list of verification events
- ping events to email addresses
- whois and DNS checks
- Assurer statements
- a string in RFC.... something format
Name
A name has
- a string
- a list of Assurances
OR
- (cached) Assurance Points against Name
DoB
A Date of Birth has
- a date
- a list of Assurances
Assurance
- (timestamp is in the Event)
- Assurer (might be in the Event)
- receives the Experience Points
- Assuree (might be in the Event)
- receives the Assurance Points
- issued Assurance Points
- meeting information
- type of Assurance
- face2face
- TTP
- Tverify
- Arbitration
- revocation
- ordered by Board
Assurances are "double-entry," keyed/inside both the assuree and assurer.
PUTing a single assurance presents a two-phase commit issue,
or reading the assurances presents a query issue.
Assurance and Experience points are a caching problem.
Assurance Points
- how many
- relies on the list of events to track ups & downs
Experience Points
- how many
- relies on the list of events to track ups & downs
Roles
A role is assigned to many Members (unlike a delegation):
- Name
- isASupportEngineer
- isAMember
- .... the total list of Actors
- Permissions
- actions include create, read, write, modify, create a delegation...
- a permission is a specification ("pattern") of resources and the actions you may take upon them.
Authentication
- password
- security questions
- certificates enabled for authentication
- pgp keys enabled for authentication, included in same list
- where, authentication is widely directed to login, reset password, etc.
Certificate
- type of Certificate
- the certificate
- (a certificate includes openpgp keys)
- we might invent another name for the combined type later on
Delegation
A delegation is specific to a Member:
- a permission
- a specification of tasks
Permission