[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Delegate

To: spki@c2.net
Subject: Re: FW: Delegate
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 19 Dec 1996 15:21:45 -0500
In-Reply-To: Your message of "19 Dec 1996 12:59:49 EST." <sjmengme7oq.fsf@charon.MIT.EDU>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:
    Derek> The only problem with this model is that you don't
    Derek> necessarily know how long an internal chain-of-command is.
    Derek> This is similar to IP subnetting.  For example, from
    Derek> outside MIT (which has net 18), there is a single

  In my intended/imagined application of SPKI, subnetting is *exactly*
the problem at hand. It involves having certificates presented to
host based IPsec key managers by firewalls asserting that they are the
legitimate firewall to reach, e.g. 205.233.54.128/26. Authority would
necessarily descend from some backbone. When you get to /32, you
probably can't delegate any further, although you might then append a
port/service number! 

    Derek> Similar is true for authority delegation.  From the outside
    Derek> you don't necessarily know how deep the chain will be.
    Derek> Unless you have intimate knowledge of the political base
    Derek> inside the "firewall", you won't necessarily know how deep

  With a binary CertDepth or FinalCert (let's use Carl's proposed
terms, they are more clear), is clear that you must allow the 18/8
prefix people to delegate. How much is their business. 
  I imagine that "MAX_INT" means infinity in SET? So you can simulate
a binary delegation with the set [0,MAX]. Those who need more detailed
control can pick integer values. 

    Derek> So, how can you ask people to set cert-depths if they don't
    Derek> know how deep those chains need to be?

   :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQBVAwUBMrmhvNTTll4efmtZAQHOBgH+KekP7DxM5PeYX3I6598p822aUup1l2oQ
1kQo2pU21bAh80UwwDg2/IPSfPxqfb1NwCORBbaaVBb/LUhCyiIoSA==
=jbgE
-----END PGP SIGNATURE-----

References:

Re: FW: Delegate

From: Derek Atkins <warlord@mit.edu>

Prev by Date: RE: FW: Delegate
Next by Date: Re: FW: Delegate
Prev by thread: Re: FW: Delegate
Next by thread: RE: FW: Delegate
Index(es):
- Main
- Thread