[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Delegate

Bill Frantz allegedly said:
> >If your certificate has it, you can create new
> >certificates; if it doesn't, you can't.  Implicit is the idea that
> >the new certificate could have less authority (including not having
> >the "CreateCert" flag set.)
> Instead, I would say that the verifier will accept this cert in the middle
> of a chain of certs (for Boolean), or it will accept this cert if it is no
> more than n from the start of the chain (for int).  Again, I would like to
> phrase the specification in terms of what the verifier will do, not what
> the permission the user has.

That's really different from what I thought.  Maybe I'm getting my
terms messed up, but I wouldn't think the verifier would pay any
attention at all to this flag, unless the verifier itself were in a
position to create a new cert, and that was the operation in question. 

Having the flag set in the middle of a chain would be essentially
meaningless to the verifier -- all it does is go through the chain and
make sure it is verifiable all the way through.  The bit really does
not mean "delegate"! It has no meaning at all as far as verification
of the cert, or delegation of authority.  That's what you wanted,
wasn't it :-)

It just means that the holder of this particular cert is able to go 
to the signer of the cert to get a new cert with reduced authority, 
in whatever terms the signer of the cert understands.  

Kent Crispin				"No reason to get excited",
kent@songbird.com,kc@llnl.gov		the thief he kindly spoke...
PGP fingerprint:   5A 16 DA 04 31 33 40 1E  87 DA 29 02 97 A3 46 2F