diff options
author | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-07-07 11:51:44 +0200 |
---|---|---|
committer | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-07-07 11:51:44 +0200 |
commit | ead5b511755860cefc793257120338a44a08c9dd (patch) | |
tree | 7c35c91d4a55b8dfacb214235aa8241496fdc58c /doc/documentation/chapters | |
parent | 8d2bd1dd06bc416277f623d2c9d84cf0da5624fe (diff) | |
download | gnunet-ead5b511755860cefc793257120338a44a08c9dd.tar.gz gnunet-ead5b511755860cefc793257120338a44a08c9dd.zip |
add some reclaim
Diffstat (limited to 'doc/documentation/chapters')
-rw-r--r-- | doc/documentation/chapters/user.texi | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/doc/documentation/chapters/user.texi b/doc/documentation/chapters/user.texi index e91812500..0a62c5fdb 100644 --- a/doc/documentation/chapters/user.texi +++ b/doc/documentation/chapters/user.texi | |||
@@ -26,6 +26,7 @@ always welcome. | |||
26 | * First steps - Using the GNUnet VPN:: | 26 | * First steps - Using the GNUnet VPN:: |
27 | * File-sharing:: | 27 | * File-sharing:: |
28 | * The GNU Name System:: | 28 | * The GNU Name System:: |
29 | * reclaim:: | ||
29 | * Using the Virtual Public Network:: | 30 | * Using the Virtual Public Network:: |
30 | @end menu | 31 | @end menu |
31 | 32 | ||
@@ -1790,6 +1791,98 @@ is thus advisable to disable the namecache by setting the | |||
1790 | option ``DISABLE'' to ``YES'' in section ``[namecache]''. | 1791 | option ``DISABLE'' to ``YES'' in section ``[namecache]''. |
1791 | 1792 | ||
1792 | 1793 | ||
1794 | @node reclaim | ||
1795 | @section re:claim Identity Provider | ||
1796 | |||
1797 | The re:claim Identity Provider (IdP) is a decentralized IdP service. | ||
1798 | It allows its users to manage and authorize third parties to access their identity attributes such as email or shipping addresses. | ||
1799 | |||
1800 | It basically mimics the concepts of centralized IdPs, such as those offered by Google or Facebook. | ||
1801 | Like other IdPs, re:claim features an (optional) OpenID-Connect 1.0-compliant protocol layer that can be used for websites to integrate re:claim as an Identity Provider with little effort. | ||
1802 | |||
1803 | @menu | ||
1804 | * reclaim-Attributes:: | ||
1805 | * reclaim-Authorization:: | ||
1806 | * reclaim-Revocation:: | ||
1807 | * reclaim-OpenID:: | ||
1808 | @end menu | ||
1809 | |||
1810 | @node reclaim-Attributes | ||
1811 | @subsection Managing Attributes | ||
1812 | |||
1813 | Before adding attributes to an identity, you must first create an ego: | ||
1814 | |||
1815 | @example | ||
1816 | $ gnunet-identity -C "username" | ||
1817 | @end example | ||
1818 | |||
1819 | Henceforth, you can manage a new user profile of the user ``username''. | ||
1820 | |||
1821 | To add an email address to your user profile, simply use the @command{gnunet-idp} command line tool:: | ||
1822 | |||
1823 | @example | ||
1824 | $ gnunet-idp -e "username" -a "email" -V "username@@example.gnunet" | ||
1825 | @end example | ||
1826 | |||
1827 | All of your attributes can be listed using the @command{gnunet-idp} | ||
1828 | command line tool as well: | ||
1829 | |||
1830 | @example | ||
1831 | $ gnunet-idp -e "username" -D | ||
1832 | @end example | ||
1833 | |||
1834 | Currently, and by default, attribute values are interpreted as plain text. | ||
1835 | In the future there might be more value types such as X.509 certificate credentials. | ||
1836 | |||
1837 | @node reclaim-Authorization | ||
1838 | @subsection Sharing Attributes with Third Parties | ||
1839 | |||
1840 | If you want to allow a third party such as a website or friend to access to your attributes (or a subset thereof) execute: | ||
1841 | |||
1842 | @example | ||
1843 | $ gnunet-idp -e "username" -r "PKEY" -i "attribute1,attribute2,..." | ||
1844 | @end example | ||
1845 | |||
1846 | Where "PKEY" is the public key of the third party and "attribute1,attribute2,..." is a comma-separated list of attribute names, such as "email", that you want to share. | ||
1847 | |||
1848 | The command will return a "ticket" string. | ||
1849 | You must give this "ticket" to the requesting third party. | ||
1850 | |||
1851 | The third party can then retrieve your shared identity attributes using: | ||
1852 | |||
1853 | @example | ||
1854 | $ gnunet-idp -e "friend" -C "ticket" | ||
1855 | @end example | ||
1856 | |||
1857 | This will retrieve and list the shared identity attributes. | ||
1858 | The above command will also work if the user "username" is currently offline since the attributes are retrieved from GNS. | ||
1859 | Further, the "ticket" can be re-used later to retrieve up-to-date attributes in case "username" has changed the value(s). For instance, becasue his email address changed. | ||
1860 | |||
1861 | To list all given authorizations (tickets) you can execute: | ||
1862 | @example | ||
1863 | $ gnunet-idp -e "friend" -T (TODO there is only a REST API for this ATM) | ||
1864 | @end example | ||
1865 | |||
1866 | |||
1867 | @node reclaim-Revocation | ||
1868 | @subsection Revoking Authorizations of Third Parties | ||
1869 | |||
1870 | If you want to revoke the access of a third party to your attributes you can execute: | ||
1871 | |||
1872 | @example | ||
1873 | $ gnunet-idp -e "username" -R "ticket" | ||
1874 | @end example | ||
1875 | |||
1876 | This will prevent the third party from accessing the attribute in the future. | ||
1877 | Please note that if the third party has previously accessed the attribute, there is not way in which the system could have prevented the thiry party from storing the data. | ||
1878 | As such, only access to updated data in the future can be revoked. | ||
1879 | This behaviour is _exactly the same_ as with other IdPs. | ||
1880 | |||
1881 | @node reclaim-OpenID | ||
1882 | @subsection Using the OpenID-Connect IdP | ||
1883 | |||
1884 | TODO: Document setup and REST endpoints | ||
1885 | |||
1793 | @node Using the Virtual Public Network | 1886 | @node Using the Virtual Public Network |
1794 | @section Using the Virtual Public Network | 1887 | @section Using the Virtual Public Network |
1795 | 1888 | ||