[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Delegate

To: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Subject: RE: Delegate
From: Carl Ellison <cme@cybercash.com>
Date: Wed, 18 Dec 1996 15:43:05 -0500
Cc: "Spki (E-mail)" <spki@c2.net>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

At 12:11 PM 12/18/96 -0500, Phillip M. Hallam-Baker wrote:
>This seems to speak for a need to distinguish both the type
>of delegation as well as the depth. If I issue a cert for
>Ron's CA I am likely to want to be able to say "I trust Ron
>or someone he trusts as a CA for names in the following domain"

Delegation doesn't happen in a vacuum.  The D in <I,S,D,A,V> applies
only to the authorization, A.  As for "CA for names", the concept
doesn't really apply in SDSI (or SPKI since we adopted
SDSI's names).  Each keyholder is the master of his own namespace
and only his own namespace.  The authority to grant someone
the authority to be a CA is an X.509 peculiarity which should
not appear inside SPKI or SDSI (except when we need, for our own
purposes, to construct a 5-tuple granting authority to some
root key (like VeriSign's)).

>I think that as a practical matter Vice President in charge
>of CA infrastructure for a company like general motors is
>very likely to want the type of control given by an integer
>"delegation bit". In that position I would certainly expect
>to have to delegate CA authority and probably the ability to 
>delegate CA authority since I would probably have each division
>of the company running sub-CAs. On the other hand the "all or
>nothingness" of a binary bit seems to me to be somewhat 
>artificial. I am likely to want to restrict the depth of the 
>tree to one, two or three levels to simplify auditing. Having a 
>choice of zero or infinite levels seems a bit limiting.

You and Donald Eastlake have both advocated the integer depth.
BTW, SET certs include a certification depth allowance.

Can you come up with more words about how the integer simplifies
auditing?  ...or other advantages the integer would have?

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMrhXUVQXJENzYr45AQEjcgP+N1XJNRvs7v0IlPvnjgti63ZnVq+jyeoN
RinZ+V2nEDAbN3xoPvIKxkZHz1Kwv0Fc/eJ1OJm9/nVzCgm9CRxy3TzEgiOY8omV
fWtEIlmR+RlDB379pprdIlcGe53OS6xGMZErRDRYT3RpoyMxLGyF3rY6eNVr5SVR
6IW/Ms3S2Zo=
=daJa
-----END PGP SIGNATURE-----

+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

Prev by Date: Re: Groups
Next by Date: FW: Delegate
Prev by thread: RE: Delegate
Next by thread: [cme@cybercash.com: Re: Delegate]
Index(es):
- Main
- Thread