[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on client auth
- To: peter@verisign.com
- Subject: Re: comments on client auth
- From: Carl Ellison <cme@cybercash.com>
- Date: Tue, 11 Jun 1996 18:22:10 -0400
- Cc: ssl-talk@netscape.com, spki@c2.org
- Resent-Date: Tue, 11 Jun 1996 15:22:12 -0700 (PDT)
- Resent-From: ssl-talk@netscape.com
- Resent-Message-Id: <"TBrwX2.0._m1.46Vln"@glacier>
- Resent-Sender: ssl-talk-request@netscape.com
At 02:04 PM 6/11/96 -0700, Peter Williams wrote:
>Im
>assuming the SDSI models are coherent with SPKI!
SDSI has solved one of the biggest problems I've seen with X.509-like certs
-- the lack of a global name space. Rivest and Lampson have recognized that
there is no such thing -- that all names are local. To me, this smacks of
early Relativity work and I think we're all convinced that it's a Good Thing.
They took that and extended it to allow a nice method of defining groups.
They've chosen an S-expression encoding with which some SPKI folks quibble,
but to me the encoding isn't anywhere near as big an issue as the contents
of a cert. It's very important, IMHO, to throw out the kitchen sink and
reduce certs to basics.
There is one apparent divergence between SDSI and SPKI which will work out
shortly, I predict: SDSI as described in Ron's paper is strictly
name-centric. I have a way to merge key-centered certs into that structure,
but I haven't written that up yet much less gotten agreement from Ron and
Butler that it fits in their scheme.
Beyond that, the person I mentioned who is implementing SPKI is inside a
large corporation where SDSI's name linking isn't as important as it is
among us web crawlers. The corporation has a single name space. However,
as they extend services to their customers, SDSI's naming will become very
important, IMHO.
Beyond that, SDSI is a little weak in attribute certification. It's all by
group definition. Blaze/Feignebaum/Lacy have a good start at improving that
and I've been working with one other person on an enhancement which should
save a great deal of time and effort in dealing with certificates.
So -- what I write as my offering for the RFC isn't going to be straight
SDSI, but it will certainly use that work!
--------back to your regular channel---------
- Carl
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+--------------------------------------------------------------------------+
Follow-Ups: