A methapor understanding SecureConversation and Trust.

Chris Kaler a few weeks ago unlocked my understanding of SecureConversation and Trust with a very easy to understand metaphor. I think it is worth sharing. I have been spending a bit of time trying to find out where the metaphor breaks down to prove to myself I understood the technology.

Roles in this metaphor:

· Bouncer Checking Ids at a bar in a state you do not live - TokenIssuer

· The book the bouncer uses to insure that they can trust your ID is in fact from the state you are from - Federated Trust

· Bartender - Service provider

· You - The client

When you go into a bar, the bouncer checks your ID. First they authenticate you by insuring that you are in fact the person you credentials say you are. Then they authorize you by insuring you are of age. If the bouncer is not familiar with the credentials you are presenting them, e.g. you have an out of state license or a military id, they look into a book which provides a list of trusted credentials. If your ID is listed and matches up to the template, they will choose to trust the credentials you have and the bouncer will let you in.

Before the bouncer lets you in, they give you a stamp, a Security Context Token (SCT), which allows you to drink alcoholic beverages. The bartenders in the club won’t have to go through the same cumbersome process to prove you are who you say you are and you are authorized to drink. They simply verify that you have the appropriate SCT, the stamp on your hand. This insures that the cycles of the bartender are not wasted on tedious ID checking which is not core to their service.

The SCT is a signed shared secret. If someone trys to copy it onto their hand, it will not have the same strength of ink and will be easily recognized as an invalid stamp.

If for some reason, the bartender doubts you, they can always ask for you original credentials before serving you.