[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

slides on SPKI -- new thought


In the presentation I gave at IETF (following a similar one at W3C), I noted 
that the dangling "root" key for a traditional ID certificate chain had to 
be closed into a loop and I drew a link from the verifier to the ID cert root.

I realized this a.m. that there is a much cleaner model for this (thanks in 
part to Paul Lambert who planted the idea seed).

Instead of having an ACL entry (or attribute cert) binding <auth,name> 
followed by an ID cert binding <name,key> to yield what we want: <auth,key>

the ACL entry should be using a fully qualified name of the form (K name).  
K is a public key which defines the namespace.  In SDSI, this is a clear 
concept.  In X.509-style ID hierarchies, K is the root key.

So, I have drawn up slides (in PowerPoint) for the standard SPKI talk -- 
showing ACL entries binding <auth,(K name)> and therefore anchoring the 
hierarchy root not to the verifier but to the ACL entry.

For cases where the verifier, granter and ACL author are all the same, this 
is a moot point.  For cases where the ACL entry is a certificate from 
someone other than the verifier, this becomes important.

 - Carl

Version: 2.6.2


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |