[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Delegation in SDSI

SDSI has two forms of delegation:

	(1) I can delegate (or authorize) someone by adding them as a
            member to a group I control.  If I add Bob to my group
            "search-committee-members", then Bob is authorized to access
            any object that has my group "search-committee-members" on
            its access-control list.

	(2) I can authorize someone to be able to sign objects of a certain
            form on my behalf.  The "certain form" is defined by giving a
            template that the object must match.  

            For example, I can give one of my servers the authority to sign
            membership certificates for my group "crypto-fans".  I would 
            give the server the group definition, and it can sign such 
            certificates for me. 

Are these forms of delegation enough? Too much?  Just right?

	Ron Rivest