[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on client auth

At 02:04 PM 6/11/96 -0700, Peter Williams wrote:
>assuming the SDSI models are coherent with SPKI!

SDSI has solved one of the biggest problems I've seen with X.509-like certs -- the lack of a global name space.  Rivest and Lampson have recognized that there is no such thing -- that all names are local.  To me, this smacks of early Relativity work and I think we're all convinced that it's a Good Thing.

They took that and extended it to allow a nice method of defining groups.

They've chosen an S-expression encoding with which some SPKI folks quibble, but to me the encoding isn't anywhere near as big an issue as the contents of a cert.  It's very important, IMHO, to throw out the kitchen sink and reduce certs to basics.

There is one apparent divergence between SDSI and SPKI which will work out shortly, I predict: SDSI as described in Ron's paper is strictly name-centric.  I have a way to merge key-centered certs into that structure, but I haven't written that up yet much less gotten agreement from Ron and Butler that it fits in their scheme.

Beyond that, the person I mentioned who is implementing SPKI is inside a large corporation where SDSI's name linking isn't as important as it is among us web crawlers.  The corporation has a single name space.  However, as they extend services to their customers, SDSI's naming will become very important, IMHO.

Beyond that, SDSI is a little weak in attribute certification.  It's all by group definition.  Blaze/Feignebaum/Lacy have a good start at improving that and I've been working with one other person on an enhancement which should save a great deal of time and effort in dealing with certificates.

So -- what I write as my offering for the RFC isn't going to be straight SDSI, but it will certainly use that work!

--------back to your regular channel---------

 - Carl