[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on client auth



At 02:04 PM 6/11/96 -0700, Peter Williams wrote:
>Im
>assuming the SDSI models are coherent with SPKI!

SDSI has solved one of the biggest problems I've seen with X.509-like certs
-- the lack of a global name space.  Rivest and Lampson have recognized that
there is no such thing -- that all names are local.  To me, this smacks of
early Relativity work and I think we're all convinced that it's a Good Thing.

They took that and extended it to allow a nice method of defining groups.

They've chosen an S-expression encoding with which some SPKI folks quibble,
but to me the encoding isn't anywhere near as big an issue as the contents
of a cert.  It's very important, IMHO, to throw out the kitchen sink and
reduce certs to basics.

There is one apparent divergence between SDSI and SPKI which will work out
shortly, I predict: SDSI as described in Ron's paper is strictly
name-centric.  I have a way to merge key-centered certs into that structure,
but I haven't written that up yet much less gotten agreement from Ron and
Butler that it fits in their scheme.

Beyond that, the person I mentioned who is implementing SPKI is inside a
large corporation where SDSI's name linking isn't as important as it is
among us web crawlers.  The corporation has a single name space.  However,
as they extend services to their customers, SDSI's naming will become very
important, IMHO.

Beyond that, SDSI is a little weak in attribute certification.  It's all by
group definition.  Blaze/Feignebaum/Lacy have a good start at improving that
and I've been working with one other person on an enhancement which should
save a great deal of time and effort in dealing with certificates.

So -- what I write as my offering for the RFC isn't going to be straight
SDSI, but it will certainly use that work!

--------back to your regular channel---------

 - Carl


+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |
+--------------------------------------------------------------------------+


Follow-Ups: