[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AUTH statements for common Internet cases

To: spki@c2.org
Subject: AUTH statements for common Internet cases
From: Carl Ellison <cme@cybercash.com>
Date: Thu, 20 Jun 1996 10:59:04 -0400
Cc: gnu@toad.com, mab@research.att.com
Sender: owner-spki@c2.org

>Re: comments on client auth

At 10:14 AM 6/20/96 -0400, Carl Ellison wrote:
[speaking of how to format AUTH records in an SPKI certificate, giving
access permission as well as permission to delegate that access permission]

>I would like it if each of you would take a crack at generating a list of
>authority lines for things like machine access or whatever else is important
>to you.  We also need to be able to specify if the authority holder has the
>authority also to delegate it -- and if so, how far (maybe a permitted hop
>count?).
>
>If this were files, we could imitate UNIX (rwx) permissions and give each
>one an optional hop count besides with the rule that any delegation has to
>use a strictly lesser hop count.  Let's expand that set to (rwad) (read,
>write, add, delete):
>
>>E.g.: for file system access
>
>FS: (R4W1A2D1) /home/user/cme/spki/

------------------------

Clearly, instead of a pathname this needs to be a URL -- e.g.,

FS: (R*) http://www.clark.net/pub/cme/html/cert.html

(meaning read-only and permission to delegate indefinitely -- so that this
person could generate a cert with (R*) or (R8) or any other number)

FS: (R12A) ftp://ftp.clark.net/pub/cme/

(meaning permission to read and delegate 12 hops deep (effectively infinite,
but I needed an example); permission to write but not to delegate that
permission;

The permission here is for a directory only.)

FS: (R3A) ftp://ftp.clark.net/pub/cme/ [...]

(meaning permission at that directory and all files and directories under it
as well as permission to generate certs for others with (R2), (R1) or (R)
permission)

-------

The examples above assume a file system which grants access based on
certificates.  I know of none, today.

Today we have UNIX, for example, with its own access granting based on user
name.  So, we'd need auth lines like:

FTP: 1,ftp.clark.net,cme

(meaning permission to enter ftp.clark.net as user cme, with permission to
delegate but not to delegate delegation)

TELNET: 0,cybercash.com,cme

(meaning permission to telnet into cybercash.com as user cme, with no
permission to delegate)

---------------

 - Carl

+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |
+--------------------------------------------------------------------------+

Prev by Date: Re: comments on client auth
Next by Date: Re: comments on client auth
Prev by thread: Re: SDSI name interpretation
Next by thread: Re: comments on client auth -Reply
Index(es):
- Main
- Thread