valuetype EndorsementStatement :
SecurityLevel3::Statement
The Endorsement Statement is a statement that is used for
authorization. An Endorsement statement endorses a
principal with certain characteristics, such as privileges
or the authority to act on behalf of another principal, sometimes
called "delegation".
According to our research, an endorsement statement may be a complex entity containing matching rules for the endorsement. An endorsement may have the following general form:
I says Principal A matching [(P1 with [p1,...,pn]) or ....]
speaks_for
Principal B matching [(T1 with [t1,...,tn]) or ... ]
has [s1,...,sm]
on Resources matching [R1, .... Rn]
Actual semantic reduction of principals is directed by the
the matching rules, and may depend on other statements as well,
such as local trust rules in the security service configuration.
Also, much of the capability of an endorsement statement is
dependent on its encoding.
This approach to authorization is a largely unexplored research topic. There are not many or well known encodings of endorsement statements. Therefore, we are reluctant to produce interfaces just yet, that go beyond the encoding. However, we do expose the Endorsement statement type, which may further direct the interpretation of it's encoding.
public string interpretation_aid;This field contains a possibly well known identifier that may aid in the interpretation of the identity statement's encoding. It may be an empty string, which signifies that there is no known interpretation aid for the encoding, or that there is no encoding.