[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Delegate

To: "'Ron Rivest'" <rivest@theory.lcs.mit.edu>, "Spki (E-mail)" <spki@c2.net>
Subject: RE: Delegate
From: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Date: Wed, 18 Dec 1996 12:11:58 -0500
Sender: owner-spki@c2.net

>I like the idea of a "may-delegate" or "final" bit.  I don't see much use
>for the integer version of this.  I think a case should be made for integers
>over bits if one is to adopt integers.   Simpler is better, usually.

>This seems to work well when the recipient is a key.  When the recipient is
>a (e.g. SDSI) name, then the constraint seems to be either overkill (the name
>can't even be bound to a key) or underkill (the name owner can bind it to
>many different names).  

I see two "natures" of delegation. The first is when I
delegate to myself the second when I delegate to an
external authority.

Delegating to oneself occurs simply as a result of good
key management practice. I have a master key in a bank 
vault somewhere and an every day key which may possibly
be compromised. Alternatively in an organization the key
may be provided to some internal minion, certified in
a manner that restricts its use precisely e.g. a key
which certifies the authenticity of press releases and
cannot be used to sign contracts.

Delegation to an external authority seems to me to be
very different in nature. If I delegate certification of
software providers to (e.g.) VeriSign  then that is a very
different matter, particularly for a third party using
my certificates.

If we imagine for a moment that Ron runs a key server 
which has key certs. for everyone in his group and also
(for his own convenience say) VeriSign. I am very likely
to decide that Ron is a suitable person to authenticate 
the members of his group but that is a very different step
from deciding that he is a suitable person to authenticate
other CAs. On the other hand if Ron were to delegate the
internal responsibilities of managing the key certs to a
grad student that would be an entirely different matter.

This seems to speak for a need to distinguish both the type
of delegation as well as the depth. If I issue a cert for
Ron's CA I am likely to want to be able to say "I trust Ron
or someone he trusts as a CA for names in the following domain"

I think that as a practical matter Vice President in charge
of CA infrastructure for a company like general motors is
very likely to want the type of control given by an integer
"delegation bit". In that position I would certainly expect
to have to delegate CA authority and probably the ability to 
delegate CA authority since I would probably have each division
of the company running sub-CAs. On the other hand the "all or
nothingness" of a binary bit seems to me to be somewhat 
artificial. I am likely to want to restrict the depth of the 
tree to one, two or three levels to simplify auditing. Having a 
choice of zero or infinite levels seems a bit limiting.

This coupled with the observation that if a binary toggle is
chosen it leaves the door open to "extensionism" much
of which may be clueless. One of the sad parts of the Web is
the way that bug ugly kludges such as JavaScript have been
thrown in by vendors with a nanosecond of thought. If we had
put Tony Sanders' proposal for a general transclusion mechanism
into the HTML spec the confusion caused by the interference 
between the IMG tag and Frames could have been avoided. 

	Phill

Prev by Date: Groups
Next by Date: Re: Groups
Prev by thread: Delegate
Next by thread: RE: Delegate
Index(es):
- Main
- Thread