[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on client auth

At 10:47 PM 6/19/96 -0700, Bill Frantz wrote:
>We must be careful to build systems where princpals will not want to share
>keys.  I think this goal will be hard to meet, considering how often people
>share passwords in the real world.  One implication of this goal is that it
>must be easy to pass selected parts of one's privileges to other actors. 
>(It is already easy to pass your secret key, and passing it shares all your

The hard part I envision here is the generation of authority statements
(what I used to call Meaning) for certs.  I generated a list for CyberCash
the other day (just for current protocols plus SET -- none for internal FTP
access, etc.).

Here's what I came up with there:

"For now, I believe we need the following specific authorities (where
<brand> is MC or VISA or whatever other card brand joins the SET protocol):

CC-WALLET: <walletID>
SET-ACCT: MC,5321012345678901,199610
SET-ACCT: VISA,4758123456789012,199701
SET-MER: <brand>,<merchantID>
SET-CCA: <brand>
SET-MCA: <brand>
SET-PGWY: <brand>
SET-PCA: <brand>
SET-GCA: <brand>
SET-BCA: <brand>

as well as explicit authorities for securing internal command and control

Notice that I left the most important part unspecified.

I would like it if each of you would take a crack at generating a list of
authority lines for things like machine access or whatever else is important
to you.  We also need to be able to specify if the authority holder has the
authority also to delegate it -- and if so, how far (maybe a permitted hop

If this were files, we could imitate UNIX (rwx) permissions and give each
one an optional hop count besides with the rule that any delegation has to
use a strictly lesser hop count.  Let's expand that set to (rwad) (read,
write, add, delete):

E.g.: for file system access

FS: (R4W1A2D1) /home/user/cme/spki/


Could you each come up with a list of such Auth: lines that your apps need?

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |