[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Auth]Another Use Case for authorization
|
From: |
Gordon Hanson |
|
Subject: |
[Auth]Another Use Case for authorization |
|
Date: |
Wed, 11 Jul 2001 22:14:03 -0500 |
Alice is called away on a last minute business trip. She has forgotten to
refill her perscription for erythroemyatonin,
which is a drug that keeps her elipsogytomy in check. She will be in meetings
all day and is unable to go to the
pharmacy herself. during a break she uses her palm x to order the drug from a
local pharmacy, and have it delivered to
her hotel.
when the pharmacies web site gets the order, there are three things it needs to
verify
1. Can we legally sell this perscription to her ie. does she have a valid
perscription?
2. Is she really who she says she is?
3. How can we get payment?
first the pharmacy will check her identity by creating a random string, and
encrypting it with an ID-authenicators public
string, then the cyphertext will be sent to the ID-authenticator, and decrypted.
the ID-Authenticator, which happens to be Alices bank in this instance, looks
up the public key that was generated
when Alice opened her account, and re-encrypts the string. this cyphertext is
then sent directly to Alices Palm Pilot.
Alices Palm Pilot then decrypts the string for the final time and forwards it
back to the pharmacy.
Next the perscription needs to be checked for validity. for this the pharmacy
needs to check that the perscription was
written by a licensed doctor, and that the amount and dosage are correct. A
request for Information is made to Alices
Palm Pilot for the actual perscription.
Alice is asked to confirm the data being sent, and it is transferred.
Now the pharmacy has a prescription and needs to verify that the physician that
issued it is licenced. for this the
application checks the AMA (or any other trusted registry) in order to do this
they only need to send the identifying info
for the doctor. and await a response.
in this response is a locator string that points to the perscription database
service that the doctor uses. The application
then takes a digest of the prescription object and asks the db server to do the
same and send the results. the two
digests are compared and if they are identical then the prescription is valid.
the pharmacy asks Alices Palm Pilot how she would like to pay, and Alice
chooses to use her credit card. the CC
number and expiration date are forwarded to the pharmacy, and the order is
processed.
later that evening, her prescription arrives at the hotel, and is brought to
her room by one of the bellhops.
After writing this down I can see that only numbers 2 and 3 need to be handled
by the authorization mechanism. the
rest is domain specific.
can anybody see any problems with this one?
Gord Hanson
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Auth]Another Use Case for authorization,
Gordon Hanson <=