Controller Architecture¶

Policy Setup¶

The controller reads its config and policy files to learn which streams exist, which consumer identities are allowed, and what ABE policy string applies to each group. It parses the available-streams file and policyList into an internal map from consumer identity → {policy id, allowed streams, ABE policy}. This map is what it later uses when a consumer asks for POLICYDATA.

Attribute Authority (AA)¶

Using the AA certificate and trust schema, the controller instantiates the AA module and registers each policy there. For every requester identity in the policy files, it loads that requester’s certificate and calls into the AA to add the policy (identity + ABE policy string). This lets the AA later issue matching decryption keys (DKEYs) that are consistent with what the controller advertises in POLICYDATA.

Certificate Serving¶

The controller serves its own certificate so that consumers can validate POLICYDATA responses. It also serves the AA certificate under the AA identity name, so that nodes validating AA-signed objects (like PUBPARAMS or DKEY) can build a full trust chain using the shared trust schema. Both are static “who am I / who is AA” anchors for the rest of the system.