Research Disclosure no longer supports Internet Explorer

identity_actor_model_spec_01.md 2024-12-17 1 / 31 Identity Actor Model Specification 1. Scope and Framework This specification introduces the Identity Actor Model, a core component of the Zero Trust Auth* (ZTAuth*) Framework. It implements the ZTAuth* Architecture to provide a secure, scalable, and organized way to manage authorization, aligning with Zero Trust principles. The Identity Actor Model, also known as the Actor Model or simply Actor, enables secure, permission-based operations through policies. It links policies directly to specific authorization contexts, ensuring systems operate with only the minimum permissions required for efficiency and security. Note: All examples of pseudo-code, JSON, or other formats provided in this document are intended for illustrative purposes only. In a real implementation, the actual fields, their names, or the number of fields may vary depending on the specific requirements and design choices. These examples are descriptive and should not be considered prescriptive or binding. 1.1 Purpose and Scope The purpose of this specification is to outline how a Node can securely act as an Actor on behalf of a Principal. It provides clear guidance for both architecture and implementation to enable permissioned operations that fully align with Zero Trust principles, ensuring secure interactions with strictly bounded permissions. 1.2 Key Functional Characteristics The Identity Actor Model enhances user, role and group management with: Direct Link Between Identities and Actor Models: Users, roles and groups are mapped directly to Actor Models. Customizable Actor Models: Combine Actor Models using Union, Intersection, and Difference to support complex permission scenarios. These features make the Identity Actor Model a secure, efficient, scalable, and flexible solution for modern systems. 1.3 Underlying Assumptions and Preconditions ZTAuth* assumes that Identity Providers (IdPs) are now the standard and are responsible for managing core identity aspects, such as Users, Roles, and Groups, specifically in the context of Authentication (AuthN) and Identity Management. ZTAuth* primarily focuses on Zero Trust security, managing the metadata of identities provided by the IdP and implementing the entire Authorization (AuthZ) layer. This approach ensures that ZTAuth* remains focused and dedicated to authorization within a Zero Trust framework, while leveraging the capabilities of Identity Providers to handle authentication and identity management. identity_actor_model_spec_01.md 2024-12-17 2 / 31 1.4 ZTAuth* Overview ZTAuth* is a comprehensive approach to authorization and authentication designed to align with Zero Trust principles, ensuring that security remains intact even in dynamic and decentralized environments. At its core, ZTAuth* operates under the assumption that a breach is always possible, prompting a rigorous process of continuous verification for every identity and every transaction. The fundamental tenets of Zero Trust—never trust, always verify; least privilege access; and assume breach—are applied in all layers, from devices and networks to applications and users. ZTAuth* focuses not only on authentication (AuthN) and authorization (AuthZ) but also integrates trusted delegation and policy enforcement into its framework. This ensures that any entity (user, device, or application) can operate securely and within a well-defined scope, without implicitly trusting any of the components involved. Every action is logged, and policies are applied in such a way that they are immutable, versionable, and transferable. These properties ensure that policies are tamper-proof, auditable, and consistent across time, providing both operational integrity and security, especially in regulated environments or complex workflows. The architecture of ZTAuth* uses Auth* models, where Auth* combines both authentication (AuthN) and authorization (AuthZ), as well as related concepts such as delegation and policy enforcement. Division of AuthN and AuthZ Models in Auth*: . AuthN Model (Authentication Model): The AuthN model is responsible for handling authentication- related metadata. It contains information necessary for identifying and verifying entities, such as users, devices, or services. This model includes all the data required for authentication processes, ensuring that only trusted identities can interact with the system. The AuthN model guarantees that the authentication data is immutable, versionable, and transferable to ensure consistency and compliance across various environments, including decentralized or distributed systems. . AuthZ Model (Authorization Model): The AuthZ model focuses on authorization and includes metadata that defines the permissions, actor models, and policies related to an entity's access to resources. This model integrates key aspects like policy definitions, trust elevation, and trust delegation. These elements are critical for ensuring that entities can only perform actions within their assigned scope, under specific conditions, and in accordance with the security policies defined by the system. Similar to the AuthN model, the AuthZ model is also immutable, versionable, and transferable, ensuring that policies and permissions remain consistent and auditable across different environments. Together, the AuthN and AuthZ models form the foundation of the Auth* models. The Auth* models act as a comprehensive framework for both authentication and authorization, ensuring that access is tightly controlled and that security is consistently applied, even across distributed or disconnected environments. The star in Auth* represents the flexibility and extensibility of the framework, as it encompasses not only AuthN and AuthZ, but also integrates related concepts such as trusted delegation, elevation of trust, and other policy enforcement mechanisms. This ensures that the system remains adaptable to evolving security needs and operational environments. One of the key features of ZTAuth* is its ability to operate effectively in environments with intermittent connectivity. This is especially crucial in modern architectures such as Cloud, IoT, and Edge Nodes, where identity_actor_model_spec_01.md 2024-12-17 3 / 31 reliable, always-on network connections are often not the norm but rather the exception. To address these challenges, ZTAuth* incorporates proximity nodes that function autonomously even in disconnected or low-connectivity environments. These nodes synchronize the necessary Auth* models and operate securely, applying policies and handling authentication and authorization requests locally. The proximity nodes ensure that security checks and operations can still be carried out without waiting for constant connectivity to a central server. In these environments, eventual consistency is applied. This means that while the proximity nodes may work independently in the short term, once connectivity is restored, they synchronize with the central server to ensure that all data, policies, and authorization contexts are consistent across the system. This approach guarantees that, even in en...