[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
slides on SPKI -- new thought
-----BEGIN PGP SIGNED MESSAGE-----
In the presentation I gave at IETF (following a similar one at W3C), I noted
that the dangling "root" key for a traditional ID certificate chain had to
be closed into a loop and I drew a link from the verifier to the ID cert root.
I realized this a.m. that there is a much cleaner model for this (thanks in
part to Paul Lambert who planted the idea seed).
Instead of having an ACL entry (or attribute cert) binding <auth,name>
followed by an ID cert binding <name,key> to yield what we want: <auth,key>
the ACL entry should be using a fully qualified name of the form (K name).
K is a public key which defines the namespace. In SDSI, this is a clear
concept. In X.509-style ID hierarchies, K is the root key.
So, I have drawn up slides (in PowerPoint) for the standard SPKI talk --
showing ACL entries binding <auth,(K name)> and therefore anchoring the
hierarchy root not to the verifier but to the ACL entry.
For cases where the verifier, granter and ACL author are all the same, this
is a moot point. For cases where the ACL entry is a certificate from
someone other than the verifier, this becomes important.
- Carl
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMrLojlQXJENzYr45AQHG8gP/dd5YhmRuDyAQGGXf2lpneuIGNlh3nxpz
m8uFwbymuHWy8AGniJxkVEHTY5LReoyp3El5XmAoPjCMZpDKqDhq9iXTIf5OQ5kN
sSI+zOyUE7FffDvmRWWwLmnN/4WRlBi/94W2nSHrmcsFlBl5l3wVPfuSpeH5h95v
e5koo/ib2to=
=bbXm
-----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+