[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on client auth
At 02:04 PM 6/11/96 -0700, Peter Williams wrote:
>Im
>assuming the SDSI models are coherent with SPKI!
SDSI has solved one of the biggest problems I've seen with X.509-like certs -- the lack of a global name space. Rivest and Lampson have recognized that there is no such thing -- that all names are local. To me, this smacks of early Relativity work and I think we're all convinced that it's a Good Thing.
They took that and extended it to allow a nice method of defining groups.
They've chosen an S-expression encoding with which some SPKI folks quibble, but to me the encoding isn't anywhere near as big an issue as the contents of a cert. It's very important, IMHO, to throw out the kitchen sink and reduce certs to basics.
There is one apparent divergence between SDSI and SPKI which will work out shortly, I predict: SDSI as described in Ron's paper is strictly name-centric. I have a way to merge key-centered certs into that structure, but I haven't written that up yet much less gotten agreement from Ron and Butler that it fits in their scheme.
Beyond that, the person I mentioned who is implementing SPKI is inside a large corporation where SDSI's name linking isn't as important as it is among us web crawlers. The corporation has a single name space. However, as they extend services to their customers, SDSI's naming will become very important, IMHO.
Beyond that, SDSI is a little weak in attribute certification. It's all by group definition. Blaze/Feignebaum/Lacy have a good start at improving that and I've been working with one other person on an enhancement which should save a great deal of time and effort in dealing with certificates.
So -- what I write as my offering for the RFC isn't going to be straight SDSI, but it will certainly use that work!
--------back to your regular channel---------
- Carl