[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Delegate

At 11:26 AM -0800 12/17/96, Kent Crispin wrote:
>I agree with Bill that "delegate" is perhaps a misleading name for
>this flag, but "Final" seems a little strange to me, also.
>As I understand it, the meaning of this flag is "has permission to
>create a new certificate with the same or some subset of the
>privileges of this certificate".  So I would call it the "CreateCert"
>permission bit.

I didn't like Final too much either.  I "borrowed" it from lanugages like
Java.  CreateCert sounds good.

>If your certificate has it, you can create new
>certificates; if it doesn't, you can't.  Implicit is the idea that
>the new certificate could have less authority (including not having
>the "CreateCert" flag set.)

Instead, I would say that the verifier will accept this cert in the middle
of a chain of certs (for Boolean), or it will accept this cert if it is no
more than n from the start of the chain (for int).  Again, I would like to
phrase the specification in terms of what the verifier will do, not what
the permission the user has.

Bill Frantz       | I still read when I should | Periwinkle -- Consulting
(408)356-8506     | be doing something else.   | 16345 Englewood Ave.
frantz@netcom.com | It's a vice. - R. Heinlein | Los Gatos, CA 95032, USA

Follow-Ups: References: