[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: Delegate
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Derek" == Derek Atkins <firstname.lastname@example.org> writes:
Derek> The only problem with this model is that you don't
Derek> necessarily know how long an internal chain-of-command is.
Derek> This is similar to IP subnetting. For example, from
Derek> outside MIT (which has net 18), there is a single
In my intended/imagined application of SPKI, subnetting is *exactly*
the problem at hand. It involves having certificates presented to
host based IPsec key managers by firewalls asserting that they are the
legitimate firewall to reach, e.g. 184.108.40.206/26. Authority would
necessarily descend from some backbone. When you get to /32, you
probably can't delegate any further, although you might then append a
Derek> Similar is true for authority delegation. From the outside
Derek> you don't necessarily know how deep the chain will be.
Derek> Unless you have intimate knowledge of the political base
Derek> inside the "firewall", you won't necessarily know how deep
With a binary CertDepth or FinalCert (let's use Carl's proposed
terms, they are more clear), is clear that you must allow the 18/8
prefix people to delegate. How much is their business.
I imagine that "MAX_INT" means infinity in SET? So you can simulate
a binary delegation with the set [0,MAX]. Those who need more detailed
control can pick integer values.
Derek> So, how can you ask people to set cert-depths if they don't
Derek> know how deep those chains need to be?
:!mcr!: | Network security consulting and
Michael Richardson | contract programming
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">email@example.com</A>. PGP key available.
-----BEGIN PGP SIGNATURE-----
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
-----END PGP SIGNATURE-----