[Ssc-dev] Authentication, Authorization and Architecture

[Nathan of Guardian]

Lee Azzarello <lee at rockingtiger.com> wrote:

>Nathan,
>
>
>Can you describe the level of detail for authorization of roles from
>client to server? I don't think I understand the scope of this project
>not the requirements to ensure a chain of custody in a court of law.

This is what the entire InformaCam IBA project has been doing for the last year. The Chain Of Custody issue is solved based on the signing and encryption Harlo has already implemented. You should be able to post informacam blobs into the public internet, as long as they have been signed by the submitters key and encrypted to the trusted parties key. We also have the file hash submission process that is again, already designed and implemented.

The only roles there were ever meant to be were 1) known or unknown person submitting a report from their device and 2) trusted party receiving report and being able to unpack and verify integrity of report blob.

I know we have added additional function to the server to allow searching and browsing of reports, but super complex roles and distributed computing authenticating mechanisms seems like we are way way out of any design goals I am familiar with. 

Harlo, Bryan - can you provide some clarity here? Are we getting pushed in directions by the IBA that I am not aware of?

+n