[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Delegate


>>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:
    Derek> The only problem with this model is that you don't
    Derek> necessarily know how long an internal chain-of-command is.
    Derek> This is similar to IP subnetting.  For example, from
    Derek> outside MIT (which has net 18), there is a single

  In my intended/imagined application of SPKI, subnetting is *exactly*
the problem at hand. It involves having certificates presented to
host based IPsec key managers by firewalls asserting that they are the
legitimate firewall to reach, e.g. Authority would
necessarily descend from some backbone. When you get to /32, you
probably can't delegate any further, although you might then append a
port/service number! 

    Derek> Similar is true for authority delegation.  From the outside
    Derek> you don't necessarily know how deep the chain will be.
    Derek> Unless you have intimate knowledge of the political base
    Derek> inside the "firewall", you won't necessarily know how deep

  With a binary CertDepth or FinalCert (let's use Carl's proposed
terms, they are more clear), is clear that you must allow the 18/8
prefix people to delegate. How much is their business. 
  I imagine that "MAX_INT" means infinity in SET? So you can simulate
a binary delegation with the set [0,MAX]. Those who need more detailed
control can pick integer values. 

    Derek> So, how can you ask people to set cert-depths if they don't
    Derek> know how deep those chains need to be?

   :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface