[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Delegation in SDSI
SDSI has two forms of delegation:
(1) I can delegate (or authorize) someone by adding them as a
member to a group I control. If I add Bob to my group
"search-committee-members", then Bob is authorized to access
any object that has my group "search-committee-members" on
its access-control list.
(2) I can authorize someone to be able to sign objects of a certain
form on my behalf. The "certain form" is defined by giving a
template that the object must match.
For example, I can give one of my servers the authority to sign
membership certificates for my group "crypto-fans". I would
give the server the group definition, and it can sign such
certificates for me.
Are these forms of delegation enough? Too much? Just right?
Cheers,
Ron Rivest
Follow-Ups: