DCAF Overview
The figure below shows the four-legged DCAF architecture. Each constrained device has an own authorization manager that helps with authentication and authorization and provides a responsive user interface. The client (C) is coupled with the client authorization manager (CAM) while the server (S) is controlled by the server authorization manager (SAM). The overseeing principals (i.e., the human beings that administrate the devices) configure authorization policies for their devices on the managers. The overseeing principals do not have to trust managers from other domains with the configuration of their devices.
DCAF Protocol Flow
The DCAF protocol flow for the four-legged architecture is given below. A client that wants to communicate with a server must first request access from the server’s authorization manager. Since this may be difficult for a constrained client, it contacts its own CAM. CAM is less constrained and therefore able to authenticate SAM and validate SAM’s authorization. Similarly, SAM is able to check CAM’s identity and authorization. If both authorization managers approve of the communication, an access ticket is generated that consists of two parts: the ticket face for the server and the client information for the client. With their respective parts of the ticket, C and S are able to communicate securely.